Tell us about your PDF experience.

Azure Virtual Desktop documentation

Securely deliver virtual desktops and applications remotely with maximum control to
any device from a flexible cloud virtual desktop infrastructure (VDI) platform. Bring
together Microsoft 365 and Azure to provide users with the only multi-session Windows
11 and Windows 10 experience, with exceptional scale and reduced IT costs.

About Azure Virtual Desktop

ｅ OVERVIEW

What is Azure Virtual Desktop?

What's new in Azure Virtual Desktop?

Terminology

Service architecture and resilience

Get started with Azure Virtual Desktop

ｇ TUTORIAL

Create and connect to a Windows 11 desktop with Azure Virtual Desktop

ｂ GET STARTED

Prerequisites

ｃ HOW-TO GUIDE

Deploy Azure Virtual Desktop

Add session hosts to a host pool

Publish applications

Azure Virtual Desktop for users

ｅ OVERVIEW
Azure Virtual Desktop for users

Windows App

Remote Desktop clients

ｂ GET STARTED

Get started with Windows App to connect to devices and apps

ｂ GET STARTED

Connect from the Remote Desktop client

More information

ｄ TRAINING

Introduction to Azure Virtual Desktop

More Azure Virtual Desktop learning paths

ｉ REFERENCE

Pricing calculator

Reference

ｉ REFERENCE

Azure CLI

PowerShell

REST API

Azure Virtual Desktop (classic) documentation

ｅ OVERVIEW
Azure Virtual Desktop (classic)
What is Azure Virtual Desktop?
Article • 05/13/2024

Azure Virtual Desktop is a desktop and app virtualization service that runs on Azure.
Here's some of the key highlights:

Deliver a full Windows experience with Windows 11, Windows 10, or Windows
Server. Use single-session to assign devices to a single user, or use multi-session
for scalability.

Offer full desktops or use RemoteApp to deliver individual apps.

Present Microsoft 365 Apps for enterprise and optimize it to run in multi-user
virtual scenarios.

Install your line-of-business or custom apps you can run from anywhere, including
apps in the formats Win32, MSIX, and Appx.

Deliver Software-as-a-service (SaaS) for external usage.

Replace existing Remote Desktop Services (RDS) deployments.

Manage desktops and apps from different Windows and Windows Server
operating systems with a unified management experience.

Host desktops and apps on-premises in a hybrid configuration with Azure Stack
HCI.

Introductory video
Learn about Azure Virtual Desktop (formerly Windows Virtual Desktop), why it's unique,
and what's new in this video:
https://www.youtube-nocookie.com/embed/aPEibGMvxZw

You can find more videos about Azure Virtual Desktop from Microsoft Mechanics .

Key capabilities
With Azure Virtual Desktop, you can set up a scalable and flexible environment:

Create a full desktop virtualization environment in your Azure subscription without

running any gateway servers.
 Flexible configurations to accommodate your diverse workloads.

Bring your own image for production workloads or test from the Azure Gallery.

Reduce costs with pooled, multi-session resources. With the new Windows 11 and
Windows 10 Enterprise multi-session capability, exclusive to Azure Virtual Desktop,
or Windows Server, you can greatly reduce the number of virtual machines and
operating system overhead while still providing the same resources to your users.

Provide individual ownership through personal (persistent) desktops.

Automatically increase or decrease capacity based on time of day, specific days of

the week, or as demand changes with autoscale, helping to manage cost.

You can deploy and manage virtual desktops and applications:

Use the Azure portal, Azure CLI, PowerShell and REST API to create and configure
host pools, application groups, workspaces, assign users, and publish resources.

Publish a full desktop or individual applications from a single host pool, create
individual application groups for different sets of users, or even assign users to
multiple application groups to reduce the number of images.

As you manage your environment, use built-in delegated access to assign roles
and collect diagnostics to understand various configuration or user errors.

Get key insights and metrics about your environment and the users connecting to
it with Azure Virtual Desktop Insights.

Only manage the image and virtual machines you use for the sessions in your
Azure subscription, not the infrastructure. You don't need to personally manage
the supporting infrastructure roles, such as a gateway or broker, like you do with
Remote Desktop Services.

Connect users:

Once assigned, users can connect to their published Windows desktops and
applications using Windows App or the Remote Desktop client. Connect from any
device through either a native application on your device or using a web browser
with the HTML5 web client.

Securely establish users through reverse connections to the service, so you don't
need to open any inbound ports.

Next steps
Here are some other articles to learn about Azure Virtual Desktop:

Learn about terminology used for Azure Virtual Desktop.

You can see a typical architectural setup of Azure Virtual Desktop for the enterprise
in our architecture documentation.
Understand the prerequisites before you deploy Azure Virtual Desktop.
When you're ready to try Azure Virtual Desktop, follow our tutorial to Create and
connect to a Windows 11 desktop with Azure Virtual Desktop, where you can
deploy a sample infrastructure.
Azure Virtual Desktop terminology
Article • 10/22/2024

） Important

This content applies to Azure Virtual Desktop with Azure Resource Manager Azure
Virtual Desktop objects. If you're using Azure Virtual Desktop (classic) without
Azure Resource Manager objects, see this article.

Azure Virtual Desktop is a service that gives users easy and secure access to their
virtualized desktops and applications. This article tells you a bit more about the
terminology and general structure of Azure Virtual Desktop.

Host pools
A host pool is a collection of Azure virtual machines that are registered to Azure Virtual
Desktop as session hosts. All session host virtual machines in a host pool should be
sourced from the same image for a consistent user experience. You control the
resources published to users through application groups.

A host pool can be one of two types:

Personal, where each session host is assigned to an individual user. Personal host
pools provide dedicated desktops to end-users that optimize environments for
performance and data separation.

Pooled, where user sessions can be load balanced to any session host in the host
pool. There can be multiple different users on a single session host at the same
time. Pooled host pools provide a shared remote experience to end-users, which
ensures lower costs and greater efficiency.

The following table goes into more detail about the differences between each type of
host pool:

ﾉ Expand table

Feature Personal host pools Pooled host pools

Load User sessions are always load-balanced to User sessions are load balanced to
balancing the session host the user is assigned to. If session hosts in the host pool based
the user isn't currently assigned to a on user session count. You can
session host, the user session is load choose which load balancing
 Feature Personal host pools
balanced to the next available session host
in the host pool.
Maximum One.
session limit
User Users can either be directly assigned to
assignment session hosts or be automatically assigned
process to the first available session host. Users
always have sessions on the session hosts
they're assigned to.
Scaling Autoscale for personal host pools starts
session host virtual machines according to
schedule or using Start VM on Connect
and then deallocates/hibernates session
host virtual machines based on the user
session state (log off/disconnect).
Windows Updated with Windows Updates, Microsoft
Updates Configuration Manager, or other software
distribution configuration tools.
User data Each user only ever uses one session host,
so they can store their user profile data on
the operating system (OS) disk of the VM.
There are also two management approaches for host pools:
Session host configuration (preview), where Azure Virtual Desktop manages the
lifecycle of session hosts in a host pool for you using a combination of native
features.
Standard, where you manage creating, updating, and scaling session hosts in a
host pool.
For more information, see host pool management approaches.
Pooled host pools
algorithm to use: breadth-first or
depth-first.
As configured by the maximum
session limit value of the properties
of a host pool. Under high
concurrent connection load, when
multiple users connect to the host
pool at the same time, the number
of sessions created on a session host
can exceed the maximum session
limit.
Users aren't assigned to session
hosts. After a user signs out and
signs back in, their user session
might get load balanced to a
different session host. To learn more,
see Configure personal desktop
assignment.
Autoscale for pooled host pools
turns VMs on and off based on the
capacity thresholds and schedules
the customer defines.
Updated by redeploying session
hosts from updated images instead
of traditional updates.
Users can connect to different
session hosts every time they
connect, so they should store their
user profile data in FSLogix.
Validation environment
You can set a host pool to be a validation environment. Validation environments let you
monitor service updates before the service applies them to your production or non-
validation environment. Without a validation environment, you might not discover
changes that introduce errors, which could result in downtime for users in your
production environment.

To ensure your apps work with the latest updates, the validation environment should be
as similar to host pools in your non-validation environment as possible. Users should
connect as frequently to the validation environment as they do to the production
environment. If you automate testing on your host pool, you should include automated
testing on the validation environment.

Application groups
An application group controls access to a full desktop or a logical grouping of
applications that are available on session hosts in a single host pool. Users can be
assigned to multiple application groups across multiple host pools, which enable you to
vary the applications and desktops that users can access.

When you create an application group, it can be one of two types:

Desktop: users access the full Windows desktop from a session host. Available with
pooled or personal host pools.

RemoteApp: users access individual applications you select and publish to the
application group. Available with pooled host pools only.

With pooled host pools, you can assign both application group types to the same host
pool at the same time. You can only assign a single desktop application group per host
pool, but you can also assign multiple RemoteApp application groups to the same host
pool.

Host pools have a preferred application group type setting. If an end user has both a
desktop and RemoteApp application groups assigned to them on the same host pool,
they only see the resources from the preferred application group type. Users assigned to
multiple RemoteApp application groups assigned to the same host pool have access to
an aggregate of all the applications in the application groups they're assigned to.

To learn more about application groups, see Preferred application group type behavior
for pooled host pools.
Workspaces
A workspace is a logical grouping of application groups. Each application group must be
associated with a workspace for users to see the desktops and applications published to
them. An application group can only be assigned to a single workspace.

End users
After you assign users to their application groups, they can connect to an Azure Virtual
Desktop deployment with any of the Azure Virtual Desktop clients.

User sessions
In this section, we cover each of the three types of user sessions that end users can
have.

Active user session

A user session is considered active when a user signs in and connects to their desktop or
RemoteApp resource.

Disconnected user session

A disconnected user session is an inactive session that the user hasn't signed out of yet.
When a user closes the remote session window without signing out, the session
becomes disconnected. When a user reconnects to their remote resources, they're
redirected to their disconnected session on the session host they were working on. At
this point, the disconnected session becomes an active session again.

Pending user session

A pending user session is a placeholder session that reserves a spot on the load-
balanced virtual machine for the user. Because the sign-in process can take anywhere
from 30 seconds to five minutes depending on the user profile, this placeholder session
ensures that the user isn't kicked out of their session if another user completes their
sign-in process first.

Next step
Learn about Azure Virtual Desktop service architecture and resilience.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Azure Virtual Desktop service
architecture and resilience
Article • 10/23/2023

Azure Virtual Desktop is designed to provide a resilient, reliable, and secure service for
organizations and users. The architecture of Azure Virtual Desktop comprises many
components that make up the service connecting users to their desktops and apps.
Most components are Microsoft-managed, but some are customer-managed or
partner-managed.

Microsoft provides the virtual desktop infrastructure (VDI) components for core
functionality as a service. These components include:

Web service: the user-facing web site and endpoint, and returns the connection
information to the user's device.
Broker service: orchestrates incoming connections.
Gateway service: a websocket service that provides the Remote Desktop Protocol
(RDP) connectivity from a user's device wherever they're connecting from to the
session hosts providing their desktops and apps.
Resource directory: provides information to instruct the web service which of the
multiple geographical databases hosts the connection information required for
each user.
Geographical database: contains the connection files ( .rdp ) and icons for every
resource that a user has been provisioned.

In addition, Azure Virtual Desktop uses other global Azure services, such as Azure Traffic
Manager and Azure Front Door to direct users to their closest Azure Virtual Desktop
entry points.

You're responsible for creating and managing session hosts, including any operating
system image customizations and applications, virtual network connectivity, the
resiliency, and the backup and recovery of those session hosts. You also provide and
manage user identities and control access to the service. You can use other Azure
services to help you meet your requirements, such as:

Azure availability zones to distribute your session hosts across physically

separate datacenter locations within an Azure region, each with independent
power, cooling, and networking.
Azure Backup to back up and restore your session hosts.
Azure Site Recovery to replicate your session hosts to another Azure region.
Azure Advisor to help you optimize your Azure resources.
This high-level diagram shows the components and responsibilities:

Web service

Broker service

Gateway service Microsoft-managed

Resource directory

Geographical database

Session hosts
Customer-managed
User identities

User connections
When a user wants to access their desktops and apps in Azure Virtual Desktop, multiple
components are involved in making that connection successful. There are two separate
sequences:

1. Feed discovery. The feed is the list of desktops and apps that are available to the
user.
2. A connection over the Remote Desktop Protocol to a session host.

Feed discovery
During feed discovery, the desktops and apps available to the user are populated in the
app on their local device. The feed contains all the information needed to connect.

The feed discovery process is as follows:

1. The user might be located anywhere in the world. Azure Traffic Manager routes the
user's device to the closest instance of the Azure Virtual Desktop web service
based on the geographic traffic-routing method, which uses source IP address of
the user's device.

2. The web service connects to the Azure Virtual Desktop broker service in the same
Azure region to retrieve the RDP files and application icons for the user's feed. The
 broker service connects to the Azure Virtual Desktop geographical database and
resource directory in the same region to retrieve the information.

3. The broker service returns the RDP files and application icons to the web service,
which returns the information to the user's device.

Here's a high-level diagram showing the feed discovery process in a single Azure
region:

Region 1

1 Resource
directory
Client

2
Web service Broker service

Geographical
database

Azure Traffic
Manager 

The geographical database only contains the information required for desktops
and apps from host pools in the same Azure regions covered by the geography. If
the user is assigned to desktops or apps from a host pool that is covered by a
different geography, the resource directory tells the web service to connect to the
broker service and geographical database in the correct Azure region.

Here's a high-level diagram showing the feed discovery process for a host pool in
an Azure region that's covered by a different geography:
 Region 1

Client 1

Resource
Web service Broker service
directory

Azure Traffic
Manager Region 2

Geographical
Broker service
database

RDP connection
When a user connects to a desktop or app from their feed, the RDP connection is
established as follows:

1. All remote sessions begin with a connection to Azure Front Door, which provides
the global entry point to Azure Virtual Desktop. Azure Front Door determines the
Azure Virtual Desktop gateway service with the lowest latency for the user's device
and directs the connection to it

2. The gateway service connects to the broker service in the same Azure region. The
gateway service enables session hosts to be in any region and still be accessible to
users.

3. The broker service takes over and orchestrates the connection between the user's
device and the session host. The broker service instructs the Azure Virtual Desktop
 agent running on the session host to connect to the same gateway service that the
user's device has connected through.

4. At this point, one of two connection types is made, depending on the

configuration and available network protocols:

a. Reverse connect transport: after both client and session host connected to the
gateway service, it starts relaying the RDP traffic using Transmission Control
Protocol (TCP) between the client and session host. Reverse connect transport is
the default connection type.

b. RDP Shortpath: a direct User Datagram Protocol (UDP)-based transport is

created between the user's device and the session host, bypassing the gateway
service.

Here's a high-level diagram showing the RDP connection process:

Region 1

UDP

RDP Shortpath
(managed networks)

UDP
Client

Azure Front RDP Shortpath

Door TCP (public networks)

TCP

Gateway service Broker service Session host



 Tip

You can find more detailed technical information about network connectivity at
Understanding Azure Virtual Desktop network connectivity and RDP Shortpath
for Azure Virtual Desktop.
Service resilience
Azure Virtual Desktop is designed to be resilient to failures and provide a reliable service
to users. The service is designed to be resilient to failures of individual components, and
to be able to recover from failures quickly.

The Microsoft-managed components of Azure Virtual Desktop are currently located in

around 40 Azure regions to be closer to users and provide a resilient service. Resiliency
has been implemented globally, geographically, and within an Azure region in the
following ways:

Azure Traffic Manager directs traffic for the web service and Azure Front Door
directs traffic for the gateway service. If there's an outage that causes the web
service or gateway service to be unavailable from one Azure region, or there's a full
region outage, traffic is redirected to the next closest available instance in the
nearest region. Redirection of the traffic enables users to still make new
connections.

The geographical database uses Azure SQL Database failover and data
replication capabilities within each geography. If there's a database outage, the
database fails over to the secondary replica and normal operation resumes. During
failover, there's a short period of time where new connections fail until failover is
complete, however this failover doesn't affect existing connections.

The resource directory, broker service, web service, and gateway service are all
available in each of the Azure regions where the Microsoft-managed components
for Azure Virtual Desktop are located. Each component has multiple instances so
that there isn't a single point of failure. Within each Azure region, there are at least
six distinct and separate instances or clusters of each component that operates
independently to withstand instance failures.

For example, a region has enough instances of the gateway service to meet
demand, but also with enough capacity to also accommodate failures of those
instances. If an instance of the gateway service fails, any TCP-based RDP
connections that are being relayed through that particular instance of the gateway
service are dropped. When those disconnected users reconnect, the remaining
instances handle requests and reconnect each user to their existing session. All
other sessions handled by other instances of the gateway service are unaffected.

Here's a high-level diagram showing how the Microsoft-managed components are

interconnected:
 Region 1

UDP

RDP Shortpath
(managed networks)

UDP

RDP Shortpath
(public networks)

TCP

Gateway service Session host

Geographical
Broker service database

SQL geo-replication
Web service Resource
directory

TCP
Client

Azure Front Resource

Door Web service directory

SQL geo-replication
Geographical
Broker service database

Azure Traffic
Manager

Gateway service Session host

TCP

RDP Shortpath
(public networks)

UDP

RDP Shortpath
(managed networks)

UDP

Region 2 
The other Azure services on which Azure Virtual Desktop relies are themselves designed
to be resilient and reliable. For more information, see Azure Traffic Manager and Azure
Front Door.

Global reach
Azure Virtual Desktop is a service that can help organizations adapt to the demands of
their workers, particularly working remotely. It provides a secure, reliable, and flexible
way to deliver desktops and applications virtually anywhere. Azure Virtual Desktop is
designed to be resilient, using Azure features and services that help ensure a highly
available service for your workloads.

Here's a map demonstrating the global reach of Azure Virtual Desktop:

Related content
To learn about the locations that Azure Virtual Desktop stored data for service objects,
see Data locations for Azure Virtual Desktop.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

What's new in Azure Virtual Desktop?
Article • 10/18/2024

Azure Virtual Desktop updates regularly. This article is where you find out about:

The latest updates

New features
Improvements to existing features
Bug fixes

Make sure to check back here often to keep up with new updates.

 Tip

See What's new in documentation, where we highlight new and updated articles
for Azure Virtual Desktop.

October 2024
Here's what changed in October 2024:

Windows 11, version 24H2 images are now available in

Azure Marketplace
Images for Windows 11 Enterprise, version 24H2 and Windows 11 Enterprise multi-
session, version 24H2 are now available in the Azure Marketplace. These images also
include versions with Microsoft 365 apps. The Azure portal will be updated later this
month to allow the convenient selection of 24H2 images when creating session hosts
from within the Azure Virtual Desktop service.

For additional information to configure languages other than English, see Install
language packs on Windows 11 Enterprise VMs in Azure Virtual Desktop.

September 2024
Here's what changed in September 2024:

Relayed RDP Shortpath (TURN) for public networks is

now available
This enhancement allows UDP connections via relays using the Traversal Using Relays
around NAT (TURN) protocol, extending the functionality of RDP Shortpath on public
networks for everyone.

For detailed configuration guidance, including prerequisites and default configurations,

see Configure RDP Shortpath for Azure Virtual Desktop.

Windows App is now available

Windows App is now generally available on Windows, macOS, iOS, iPadOS, and web
browsers, and in preview on Android. You can use it to connect to Azure Virtual Desktop,
Windows 365, Microsoft Dev Box, Remote Desktop Services, and remote PCs, securely
connecting you to Windows devices and apps. To learn more about what each platform
supports, see Compare Windows App features across platforms and devices. Windows
App is now available through the appropriate store for each client platform, ensuring a
smooth update process.

For more information, see What is Windows App? and Windows App get started.

Enabling HEVC GPU acceleration for Azure Virtual

Desktop is now in preview
High Efficiency Video Coding (H.265) hardware acceleration is currently in preview.
Azure Virtual Desktop supports graphics processing unit (GPU) acceleration for frame
encoding which will result in improved graphical experience when using the Remote
Desktop Protocol (RDP) with a GPU-enabled Virtual Machine. GPU acceleration is crucial
for delivering high-fidelity graphical experiences in graphics-intensive applications, such
as those used by graphic designers, video editors, and 3D modelers.

For more information, see Enable GPU acceleration for Azure Virtual Desktop.

August 2024
Here's what changed in August 2024:

Configure the session lock behavior for Azure Virtual

Desktop is now available
You can choose whether the session is disconnected or the remote lock screen is shown
when a remote session is locked, either by the user or by policy. When the session lock
behavior is set to disconnect, a dialog is shown to let users know they were
disconnected. Users can choose the Reconnect option from the dialog when they're
ready to connect again.

For more information, see Configure the session lock behavior for Azure Virtual Desktop.

Configuring the clipboard transfer direction in Azure

Virtual Desktop is now available
Clipboard redirection in Azure Virtual Desktop allows users to copy and paste content
between the user's local device and the remote session in either direction. You might
want to limit the direction of the clipboard for users, to help prevent data exfiltration or
malicious files being copied to a session host. You can configure whether users can use
the clipboard from session host to client, or client to session host, and the types of data
that can be copied.

For more information see Configure the clipboard transfer direction in Azure Virtual
Desktop.

Microsoft Purview forensic evidence is now compatible

with Azure Virtual Desktop
Forensic evidence is an opt-in add-on feature in Insider Risk Management that gives
security teams visual insights into potential insider data security incidents, with user
privacy built in. Microsoft Purview Insider Risk Management correlates various signals to
identify potential malicious or inadvertent insider risks, such as IP theft, data leakage
and security violations. Insider risk management enables customers to create policies to
manage security and compliance.

For more information see Learn about insider risk management forensic evidence.

Support for FIDO devices and passkeys on macOS and

iOS is now available
Windows App and the Remote Desktop app now support FIDO devices and passkeys for
Microsoft Entra ID sign in on macOS and iOS.

For more information see Azure Virtual Desktop identities and authentication.

New Microsoft Teams can be installed on an image using

custom image templates
New Teams has replaced classic Teams when using custom image templates. When
updating an existing template, classic Teams is replaced by new Teams. No action is
required. When reusing an existing template which references classic Teams, it's updated
to new Teams by Microsoft.

For more information see End of availability for classic Teams client.

July 2024
Here's what changed in July 2024:

New Teams available on Windows Enterprise multi-

session images with Microsoft 365 apps pre-installed
Our Windows Enterprise multi-session images with Microsoft 365 apps have been
updated with the new Teams app pre-installed. Users accessing newly provisioned
session hosts with the latest images, updated late July, enjoy the new experience. Learn
more about What's changing in the new Microsoft Teams.

Learn more about Windows Enterprise multi-session in our FAQ.

June 2024
Here's what changed in June 2024:

Configuring the default chroma value for Azure Virtual

Desktop is now in preview
The chroma value determines the color space used for encoding. By default, the chroma
value is set to 4:2:0, which provides a good balance between image quality and network
bandwidth. You can increase the default chroma value to 4:4:4 to improve image quality.
You don't need to use GPU acceleration to change the default chroma value.

For more information, see Configure default chroma value for Azure Virtual Desktop.

New Teams SlimCore changes are now available in

preview
Microsoft Teams on Azure Virtual Desktop supports chat and collaboration. With media
optimizations, it also supports calling and meeting functionality by redirecting it to the
local device when using Windows App or the Remote Desktop client on a supported
platform.

There are two versions of Teams, Classic Teams and New Teams, and you can use either
with Azure Virtual Desktop. New Teams has feature parity with Classic Teams, and
improves performance, reliability, and security.

New Teams can use either SlimCore or the WebRTC Redirector Service. SlimCore is
available in preview and you need to opt in to the preview to use it. If you use SlimCore,
you should also install the WebRTC Redirector Service. This allows a user to fall back to
WebRTC, such as if they roam between different devices that don't support the new
optimization architecture. For more information about SlimCore and how to opt into the
preview, see New VDI solution for Teams.

For more information, see Use Microsoft Teams on Azure Virtual Desktop.

Preferred application group type behavior for pooled

host pools in Azure Virtual Desktop has been updated
An application group is a logical grouping of applications that are available on session
hosts in a host pool. Application groups control whether a full desktop or which
applications from a host pool are available to users to connect to. An application group
can only be assigned to a single host pool, but you can assign multiple application
groups to the same host pool. Users can be assigned to multiple application groups
across multiple host pools, which enable you to vary the applications and desktops that
users can access.

For more information, see Preferred application group type behavior for pooled host
pools in Azure Virtual Desktop.

Additional data and metrics for Connection Reliability for

Azure Virtual Desktop is now available
Using Azure Virtual Desktop Insights can help you understand your deployments of
Azure Virtual Desktop. It can help with checks such as which client versions are
connecting, opportunities for cost saving, or knowing if you have resource limitations or
connectivity issues.

The reliability of a connection can have a significant impact on the end-user experience.
Azure Virtual Desktop Insights can help you understand disconnection events and
correlations between errors that affect end users.
For more information and instructions, see Use cases for Azure Virtual Desktop Insights.

RDP Shortpath configuration in host pool settings

You can granularly control how RDP Shortpath is used by configuring the networking
settings of a host pool using the Azure portal or Azure PowerShell. Configuring RDP
Shortpath on the host pool enables you to optionally set which of the four RDP
Shortpath options you want to use and is used alongside the session host configuration.

For more information, see Configure RDP Shortpath for Azure Virtual Desktop.

Adding and managing app attach applications in Azure

Virtual Desktop is now available
App attach enables you to dynamically attach applications from an application package
to a user session in Azure Virtual Desktop. Applications aren't installed locally on session
hosts or images, making it easier to create custom images for your session hosts, and
reducing operational overhead and costs for your organization. Delivering applications
with app attach also gives you greater control over which applications your users can
access in a remote session.

For more information and instructions, see Add and manage app attach and MSIX app
attach applications.

May 2024
Here's what changed in May 2024:

New Microsoft Teams now pre-installed in Windows 11

multi-session with Microsoft 365 Apps gallery images
Images for Windows 11 multi-session with Microsoft 365 Apps in the Azure Marketplace
now come with the new Microsoft Teams pre-installed (not Teams (Classic)). This applies
to Windows 11 Enterprise multi-session 23H2 and 22H2.

Configuring client device redirection for Windows App

and the Remote Desktop app using Microsoft Intune is
now in preview
You can now use Microsoft Intune to configure client device redirection settings for
Windows App and the Remote Desktop app in preview. IT admins can configure
different redirection scenarios based on group membership and whether the device is
managed by Intune or unmanaged. Additional capabilities include the ability to check
and restrict access to Azure Virtual Desktop based on criteria such as OS version,
allowed app (Windows App or the Remote Desktop app), allowed app version number,
whether a threat is detected by Mobile Threat Defense (MTD), the device is
jailbroken/rooted, and more.

For more information, see Configure client device redirection settings for Windows App
and the Remote Desktop app using Microsoft Intune.

Hibernate support for session hosts in a personal host

pool is generally available
Deploying session hosts in a personal host pool with hibernate support is now generally
available. With hibernate support, you can pause session hosts you aren't using. For
more information, see Hibernating Windows virtual machines.

Hibernate support for autoscale is generally available

Autoscale support for virtual machines that use hibernate is generally available, enabling
session hosts to be scaled automatically while preserving their state. For more
information, see Autoscale scaling plans and example scenarios in Azure Virtual Desktop
and Hibernating virtual machines.

Support for Trusted Launch virtual machines support in

Azure Government and Azure operated by 21Vianet
Trusted Launch virtual machines are now available in Azure Government and Azure
operated by 21Vianet. Deploying Trusted Launch virtual machines in your Azure Virtual
Desktop environment improves the security posture of your session hosts by helping
protect against advanced and persistent attack techniques. You can select Trusted
Launch when you create a new host pool with machines or add a new virtual machine to
an existing host pool.

For more information about the benefits of Trusted Launch, see our Trusted Launch
documentation.

April 2024
Here's what changed in April 2024:

Updated the administrative template for Watermarking in

Intune and Group Policy
The administrative template for Azure Virtual Desktop now includes updated template
settings for watermarking, which are available in Microsoft Intune and Group Policy. For
more information, along with instructions, see Enable watermarking and

Autoscale and Start VM on Connect for Azure Virtual

Desktop on Azure Stack HCI is in preview
Autoscale and Start VM on Connect are now available for session hosts running on
Azure Stack HCI in preview. Autoscale lets you scale your session host virtual machines
in a host pool up or down according to schedule to optimize deployment costs. Start
VM On Connect lets you reduce costs by enabling end users to turn on their session
host virtual machines only when they need them so you can power them off when
they're not needed.

For more information, see Autoscale scaling plans and example scenarios in Azure
Virtual Desktop and Set up Start VM on Connect.

March 2024
Here's what changed in March 2024:

ms-avd Uniform Resource Identifier (URI) scheme for

Azure Virtual Desktop with the Remote Desktop client
now generally available
The Uniform Resource Identifier (URI) scheme ms-avd , which is used to invoke the
Remote Desktop client with specific commands, parameters, and values designed for
using Azure Virtual Desktop, is now generally available. For example, you can use a URI
to subscribe to a workspace or connect to a particular desktop or RemoteApp.

For more information and examples, see Uniform Resource Identifier schemes with the
Remote Desktop client for Azure Virtual Desktop.
Every time sign-in frequency Conditional Access option is
now in preview
Using Microsoft Entra sign-in frequency with Azure Virtual Desktop prompts users to
reauthenticate when launching a new connection after a period of time. You can now
require reauthentication after a shorter period of time.

For more information, see Configure sign-in frequency.

Configuring the clipboard transfer direction is now in

preview
Clipboard redirection in Azure Virtual Desktop allows users to copy and paste content in
either direction between the user's local device and the remote session. However, in
some scenarios you might want to limit the direction of the clipboard for users to
prevent data exfiltration or copying malicious files to a session host. You can configure
users to only be able to use the clipboard to copy data from session host to client or
client to session host, as well as what kind of data they can copy.

For more information, see Configure the clipboard transfer direction in Azure Virtual
Desktop.

Azure Proactive Resiliency Library (APRL) for Azure

Virtual Desktop workload now available
The ARPL now has recommendations for Azure Virtual Desktop, which can help you can
meet resiliency targets for your applications through a holistic self-serve resilience
experience. APRL recommendations cover Azure Virtual Desktop requirements and
definitions, letting you run automated configuration checks against workload
requirements. APRL also contains supporting Azure Resource Graph queries that you
can use to identify resources that aren't fully compliant with APRL guidance and
recommendations.

For more information about these recommendations, see the Azure Proactive Resiliency
Library (APRL) .

February 2024
Here's what changed in February 2024:
Azure Virtual Desktop for Azure Stack HCI now generally
available
Azure Virtual Desktop for Azure Stack HCI extends the capabilities of the Microsoft
Cloud to your datacenters. Bringing the benefits of Azure Virtual Desktop and Azure
Stack HCI together, organizations can securely run virtualized desktops and apps on-
premises in their datacenter and at the edges of their organization. This versatility is
especially useful for organizations with data residency and proximity requirements or
latency-sensitive workloads.

For more information, see Azure Virtual Desktop for Azure Stack HCI now available!

New Azure Virtual Desktop web client is now available

We've updated the Azure Virtual Desktop web client to the new web client. All users
automatically migrate to this new version of the web client to access their resources.

For more information about the new features available in the new web client, see Use
features of the Remote Desktop Web client.

January 2024
There were no major releases or new features in January 2024.

December 2023
Here's what changed in December 2023:

New app attach features for Azure Virtual Desktop in

preview
The preview of app attach is now available. App attach brings many benefits over MSIX
app attach, including assigning applications per user, using the same application
package across multiple host pools, upgrading applications, and being able to run two
versions of the same application concurrently on the same session host.

For more information, see New app attach features for Azure Virtual Desktop in
preview and MSIX app attach and app attach in Azure Virtual Desktop.
The new Microsoft Teams desktop client is now generally
available to use with Azure Virtual Desktop
The new Microsoft Teams desktop client is now generally available to use with Azure
Virtual Desktop. The new Teams desktop client has feature parity with the classic Teams
app and improved performance, reliability, and security.

For more information, see Use Microsoft Teams on Azure Virtual Desktop.

November 2023
Here's what changed in November 2023:

Administrators can now easily start, stop, and restart

session hosts
You can now stop, start and restart session hosts directly in the Azure portal. You can
also choose whether to perform the operation on a single session host or on multiple
session hosts in your host pool at the same time.

Use community images and directed shared images when

deploying session hosts
You can now select community images and directed shared images to use for your
session hosts when you deploy Azure Virtual Desktop in the Azure portal, add session
hosts to a host pool, or create custom images.

Community images and associated publisher information aren't verified or tested by

Microsoft, so make sure to verify any custom images you deploy using this method.

For more information on preparing, storing and sharing images to be used to create
virtual machines, see Store and share VM images in a compute gallery.

Windows 11 version 23H2 and 22H2 images added to the

Azure Marketplace
Windows 11 Enterprise multi-session, versions 23H2 and 22H2 with Microsoft 365 apps
preinstalled are now available in the Azure Marketplace. You can use these images when
you deploy Azure Virtual Desktop in the Azure portal, add session hosts to a host pool,
or create custom images.
Autoscale for personal host pools is generally available
Autoscale lets you scale your session host virtual machines (VMs) in a host pool up or
down according to schedule, optimizing deployment costs.

For more information, see Autoscale scaling plans and example scenarios in Azure
Virtual Desktop.

Hibernate support for autoscale is in preview

Autoscale can now use the hibernate feature in preview, which can pause session hosts
you aren't using. For more information, see Autoscale scaling plans and example
scenarios in Azure Virtual Desktop and Hibernating virtual machines.

Updated preview of Azure Virtual Desktop on Azure Stack

HCI
We've updated the preview of Azure Virtual Desktop on Azure Stack HCI. You can now
deploy Azure Virtual Desktop with your session hosts on Azure Stack HCI as an
integrated experience with Azure Virtual Desktop in the Azure portal. For more
information, see Azure Virtual Desktop on Azure Stack HCI and Deploy Azure Virtual
Desktop.

Single sign-on using Microsoft Entra authentication is

now generally available
Single sign-on using Microsoft Entra authentication is now generally available. Single
sign-on enables users to automatically sign the user into Windows, without prompting
them for their credentials for every connection.

For more information, see Configure single sign-on for Azure Virtual Desktop using
Microsoft Entra authentication.

In-session passwordless authentication is now generally

available
In-session passwordless authentication is now generally available. Azure Virtual Desktop
supports in-session passwordless authentication using Windows Hello for Business or
security devices like FIDO keys.

For more information, see In-session passwordless authentication.

Windows App preview
Windows App is available in preview for Windows, macOS, iOS and iPadOS, and in a web
browser. You can use it to connect to Azure Virtual Desktop, Windows 365, Microsoft
Dev Box, Remote Desktop Services, and remote PCs, securely connecting you to
Windows devices and apps. For more information, see Windows App.

October 2023
Here's what changed in October 2023:

New article about Azure Virtual Desktop service

architecture and resilience
We've published a new article about the service architecture for Azure Virtual Desktop
and how it provides a resilient, reliable, and secure service for organizations and users.
Most components are Microsoft-managed, but some are customer-managed.

You can learn more at Azure Virtual Desktop service architecture and resilience.

OneDrive with RemoteApp in preview

You can now use Microsoft OneDrive alongside a RemoteApp in preview. You can use
this feature to access and synchronize your files while using a RemoteApp. When you
connect to a RemoteApp, OneDrive can automatically launch as a companion to the
RemoteApp.

For more information about prerequisites and configuration, see Use Microsoft
OneDrive with a RemoteApp in Azure Virtual Desktop (preview).

Administrative template for FSLogix now available in

Intune settings catalog
The administrative template for FSLogix is now available in the Intune settings catalog.
This template enables you to configure FSLogix settings centrally for session hosts that
are enrolled in Intune.

September 2023
Here's what changed in September 2023:
Azure Virtual Desktop (classic) deprecation
Azure Virtual Desktop (classic) now blocks users from creating new tenants. Customers
should be deploying the current version of Azure Virtual Desktop for any new
workloads. However, while Azure Virtual Desktop (classic) blocks new tenants, you can
still access all other ongoing operation and management processes. We will no longer
support Azure Virtual Desktop (classic) in September 2026, so we highly recommend
you migrate from classic to Azure Virtual Desktop before then.

For more information about the Azure Virtual Desktop (classic) retirement, see Azure
Virtual Desktop (classic) retirement.

Updates to Azure Virtual Desktop overview page in the

Azure portal
We've updated the overview page in the Azure Virtual Desktop administrator portal to
include new visuals and tile links. These updates make it easier to navigate to
documentation, find the forums for collaboration and discussion, submit feedback, and
locate release notes for Azure Virtual Desktop.

The latest version of FSLogix is now included in Windows

Enterprise multi-session images
We added the latest version of FSLogix to Windows 10 and 11 Enterprise multi-session
images in the Azure Marketplace. As of September 12, 2023, all images come
preinstalled with the latest version of FSLogix.

For more information about what's new in FSLogix, see the FSLogix Release Notes.

Azure Virtual Desktop Insights support for the Azure

Monitor Agent is now generally available
Azure Virtual Desktop Insights is a dashboard built on Azure Monitor workbooks that
helps you understand your Azure Virtual Desktop environments. Azure Virtual Desktop
Insights support for the Azure Monitor agent is now generally available. For more
information, see Use Azure Virtual Desktop Insights to monitor your deployment.

The Log Analytics agent for Azure Monitor is deprecating on August 31, 2024. We
recommend you migrate monitoring your virtual machines (VMs) and servers to Azure
Monitor Agent before that date. For more information about how to migrate, see
Migrate to Azure Monitor Agent from Log Analytics agent.
Custom Image Template feature is now generally
available
Azure Virtual Desktop just made it easier for you to create your golden image with the
new Custom Image Template feature. You can use this new management option in the
Azure portal to include built-in or custom scripts in your template that you can reuse.
For more information, see our blog post .

August 2023
Here's what changed in August 2023:

Updated Group Policy templates for FSLogix

The FSLogix 2210 hotfix 2 release includes updates to the Group Policy templates.
Before this release, the Group Policy template files had some unique behaviors that
made it difficult to find the correct policy name based on the list of configuration
settings for Profiles, Office Data File Containers (ODFC), and Cloud Cache.

For more information about FSLogix Group Policy Template Files, see How to Use
FSLogix Group Policy Template Files for FSLogix.

Improvements in custom image templates

We've updated the text, tooltips, and links for custom image templates in the Azure
portal to make them easier to use. You can also now go to the built-in customization
settings and remove Clipchamp in the Remove AppX package list.

We built the custom image templates feature using Azure Image Builder for you to use
with Azure Virtual Desktop. For more information, see Custom image templates.

July 2023
Here's what changed in July 2023:

Watermarking is now generally available

Watermarking, when used with screen capture protection, helps protect your sensitive
information from capture on client endpoints. When you enable watermarking, QR code
watermarks appear as part of remote desktops. The QR code contains the connection ID
of a remote session that admins can use to trace the session. You can configure
watermarking on session hosts and enforce it with the Remote Desktop client.

Audio call redirection for Azure Virtual Desktop in

preview
Call redirection, which optimizes audio calls for WebRTC-based calling apps, is now in
preview. Multimedia redirection redirects media content from Azure Virtual Desktop to
your local machine for faster processing and rendering. Both Microsoft Edge and
Google Chrome support this feature when using the Windows Desktop client.

For more information about which sites are compatible with this feature, see Call
redirection.

Autoscale for personal host pools is currently in preview

Autoscale for personal host pools is now in preview. Autoscale lets you scale your
session host virtual machines (VMs) in a host pool up or down according to a schedule
to optimize deployment costs.

To learn more about autoscale for personal host pools, see Autoscale scaling plans and
example scenarios in Azure Virtual Desktop.

Confidential virtual machines and Trusted Launch virtual

machines are now generally available in Azure Virtual
Desktop
Confidential virtual machines and Trusted Launch virtual machines for Azure Virtual
Desktop are now generally available. You can select these options when you create a
new host pool with machines or add a new virtual machine to an existing host pool.

Azure confidential virtual machines (VMs) offer VM memory encryption with integrity
protection, which strengthens guest protections to deny the hypervisor and other host
management components code access to the VM memory and state. For more
information about the security benefits of confidential VMs, see our confidential
computing documentation.

Trusted Launch protects against advanced and persistent attack techniques. This feature
allows you to securely deploy your VMs with verified boot loaders, OS kernels, and
drivers. Trusted Launch also protects keys, certificates, and secrets in VMs. For more
information about the benefits of Trusted Launch, see our Trusted Launch
documentation. Trusted Launch is now enabled by default for all Windows images used
with Azure Virtual Desktop.

For more information about this announcement, see Announcing General Availability of
confidential VMs in Azure Virtual Desktop .

Private Link with Azure Virtual Desktop is now generally

available
Private Link with Azure Virtual Desktop allows users to establish secure connections to
remote resources using private endpoints. With Private Link, traffic between your virtual
network and the Azure Virtual Desktop service is routed through the Microsoft backbone
network. This routing eliminates the need to expose your service to the public internet,
enhancing the overall security of your infrastructure. By keeping traffic within this
protected network, Private Link adds an extra layer of security for your Azure Virtual
Desktop environment. For more information about Private Link, see Azure Private Link
with Azure Virtual Desktop or read our blog post .

Tamper protection support for Azure Virtual Desktop

Microsoft Intune now supports the use of endpoint security antivirus policy to manage
tamper protection for Azure Virtual Desktop session hosts running Windows 11
Enterprise or Windows 11 Enterprise multi-session. Support for tamper protection
requires you to onboard session hosts to Microsoft Defender for Endpoint before you
apply the policy that enables tamper protection.

June 2023
Here's what changed in June 2023:

Azure Virtual Desktop Insights support for the Azure

Monitor Agent now in preview
Azure Virtual Desktop Insights is a dashboard built on Azure Monitor workbooks that
helps IT professionals understand their Azure Virtual Desktop environments. Azure
Virtual Desktops Insights support for the Azure Monitor agent is now in preview. For
more information, see Use Azure Virtual Desktop Insights to monitor your deployment.
Administrative template for Azure Virtual Desktop now
available in Intune
We've created an administrative template for Azure Virtual Desktop to help you
configure certain features in Azure Virtual Desktop. This administrative template is now
available in Intune, which enables you to centrally configure session hosts that are
enrolled in Intune and Azure Active Directory (Azure AD) joined or hybrid Azure AD
joined.

For more information, see Administrative template for Azure Virtual Desktop.

May 2023
Here's what changed in May 2023:

Custom image templates is now in preview

Custom image templates is now in preview. Custom image templates help you easily
create a custom image that you can use when deploying session host VMs. With custom
images, you can standardize the configuration of your session host VMs for your
organization. Custom image templates is built on Azure Image Builder and tailored for
Azure Virtual Desktop. For more information about the preview, check out Custom
image templates or read our blog post .

April 2023
Here's what changed in April 2023:

Azure Virtual Desktop Store app for Windows in preview

The Azure Virtual Desktop Store app for Windows is now in preview for Windows 10 and
11. With the Store App, you can now automatically update the client, unlike with the
Remote Desktop client. You can also pin a RemoteApp to your Start menu to personalize
your desktop and reduce clutter.

For more information about the preview release version, check out Use features of the
Azure Virtual Desktop Store app for Windows when connecting to Azure Virtual Desktop
(preview), What's new in the Azure Virtual Desktop Store App (preview), or read our blog
post .
Intune user-scope configuration for Windows 10
Enterprise multi-session VMs now generally available
Microsoft Intune user-scope configuration for Azure Virtual Desktop multi-session
Virtual Machines (VMs) on Windows 10 and 11 is now generally available. With this
feature, you're able to:

Configure user-scope policies using the Settings catalog and assign those policies
to groups of users.
Configure user certificates and assign them to users.
Configure PowerShell scripts to install in user context and assign the scripts to
users.

For more information, see Azure Virtual Desktop multi-session with Intune or our blog
post .

March 2023
Here's what changed in March 2023:

Redesigned connection bar for the Windows Desktop

client
The latest version of the Windows Desktop client includes a redesigned connection bar.
For more information, see Updates for version 1.2.4159.

Shutdown session host status

The Shutdown session host status is now available in the Azure Virtual Desktop portal
and the most recent API version. For more information, see Session host statuses and
health checks.

Windows 10 and 11 22H2 images now visible in the image

drop-down menu
Windows 10 and 11 22H2 Enterprise and Enterprise multi-session images are now visible
in the image dropdown when creating a new host pool or adding a VM in a host pool
from the Azure Virtual Desktop portal.
ms-avd Uniform Resource Identifier (URI) scheme in
preview
A Uniform Resource Identifier (URI) scheme for Azure Virtual Desktop that you can use
with the Remote Desktop client for Azure Virtual Desktop. You can use ms-avd to
subscribe to a workspace or connect to a particular desktop or RemoteApp. URI
schemes provide fast and efficient end-user connection to Azure Virtual Desktop
resources. For more information, see our blog post and URI schemes with the Remote
Desktop client for Azure Virtual Desktop (preview).

Azure Virtual Desktop Insights at Scale now generally

available
Azure Virtual Desktop Insights at Scale is now generally available. This feature gives you
the ability to review performance and diagnostic information in multiple host pools at
the same time in a single view. If you're an existing Azure Virtual Desktop Insights user,
you get this feature without having to do any extra configuration or setup. For more
information, see our blog post and Use Azure Virtual Desktop Insights to monitor
your deployment.

February 2023
Here's what changed in February 2023:

Symmetric NAT support for RDP Shortpath in preview

This feature is an extension of the generally available Remote Desktop Protocol (RDP)
Shortpath feature that allows us to establish a User Datagram Platform (UDP)
connection indirectly using a relay with the TURN (Traversal Using Relays around NAT)
protocol for symmetric NAT (Network Address Translation). For more information, see
our blog post or RDP Shortpath for Azure Virtual Desktop.

Multimedia redirection enhancements now generally

available
Multimedia redirection is now generally available. Multimedia redirection enables
smooth video playback while viewing videos in a browser running on Azure Virtual
Desktop. For more information, see our blog post or Multimedia redirection for video
playback and calls in a remote session.
New User Interface for Azure Virtual Desktop web client
now in preview
The Azure Virtual Desktop web client has a new user interface (UI) that's now in preview.
This new UI gives the web client a cleaner, more modern look and feel. For more
information, see our blog post or Use features of the Remote Desktop Web client.

January 2023
Here's what changed in January 2023:

Watermarking for Azure Virtual Desktop now in preview

Watermarking for Azure Virtual Desktop is now in preview for the Windows Desktop
client. This feature protects sensitive information from being captured on client
endpoints by adding watermarks to remote desktops. For more information, see our
blog post or Watermarking in Azure Virtual Desktop.

Give or Take Control for macOS Teams on Azure Virtual

Desktop now generally available
Version 1.31.2211.15001 of the WebRTC Redirector service includes support for Give or
Take Control for macOS users. This version includes performance improvements for Give
or Take Control on Windows. For more information, see Updates for version
1.31.2211.15001.

Microsoft Teams application window sharing on Azure

Virtual Desktop now generally available
Previously, users could only share their full desktop windows or a Microsoft PowerPoint
Live presentation during Teams calls. With application window sharing, users can now
choose a specific window to share from their desktop screen and help reduce the risk of
displaying sensitive content during meetings or calls. For more information, see our blog
post .

Windows 7 End of Support

Starting January 10, 2023, Azure Virtual Desktop no longer supports Windows 7 as a
client or host. We recommend upgrading to a supported Windows release. For more
information, see our blog post .

December 2022
Here's what changed in December 2022:

FSLogix 2210 now generally available

FSLogix version 2210 is now generally available. This version introduces new features
like VHD Disk Compaction, a new process that improves user experience with AppX
applications like built-in Windows apps (inbox apps) and Recycle Bin roaming. For more
information, see our blog post or What’s new in FSLogix.

India metadata service now generally available

The Azure Virtual Desktop region in India is now generally available. Customers can now
store their Azure Virtual Desktop objects and metadata within a database located in the
India geography. For more information, see our blog post .

Confidential Virtual Machine support for Azure Virtual

Desktop now in preview
Azure Confidential VM support is now in preview. Azure Confidential VMs increase data
privacy and security by protecting data in use. The preview update also adds support for
Windows 11 22H2 to Confidential VMs. For more information, see our blog post .

November 2022
Here's what changed in November 2022:

RDP Shortpath for public networks now generally

available
Remote Desktop Protocol (RDP) Shortpath for public networks is now generally
available. RDP Shortpath improves the transport reliability of Azure Virtual Desktop
connections by establishing a direct User Datagram Protocol (UDP) data flow between
the Remote Desktop client and session hosts. This feature will be enabled by default for
all customers. For more information, see our blog post .
Azure Virtual Desktop Insights at Scale in preview
The ability to review performance and diagnostic information across multiple host pools
in one view with Azure Virtual Desktop Insights at Scale is now in preview. For more
information, see our blog post or Use Azure Virtual Desktop Insights to monitor your
deployment.

Intune user configuration for Windows 11 Enterprise

multi-session VMs now generally available
Microsoft Intune user scope configuration for Azure Virtual Desktop multi-session VMs
on Windows 11 is now generally available. With this feature, you're able to:

Configure user scope policies using the Settings catalog and assign them to
groups of users.
Configure user certificates and assign them to users.
Configure PowerShell scripts to install in the user context and assign them to users.

For more information, see Azure Virtual Desktop multi-session with Intune or our blog
post .

Azure Active Directory Join VMs with FSLogix profiles on

Azure Files now generally available
FSLogix profiles with Azure Active Directory (AD)-joined Windows 10, 11, and Windows
Server 2022 VMs for hybrid users in Azure Virtual Desktop are now generally available.
These FSLogix profiles let you seamlessly access file shares from Azure AD-joined VMs
and use them to store your FSLogix profile containers. For more information, see our
blog post .

Private Link for Azure Virtual Desktop now in preview

Private endpoints from Azure Private Link for Azure Virtual Desktop are now in preview.
Private Link can enable traffic between session hosts, clients, and the Azure Virtual
Desktop service to flow through a private endpoint within your virtual network instead
of the public internet. For more information, see our blog post , read our overview at
Use Azure Private Link with Azure Virtual Desktop (preview), or get started at Set up
Private Link for Azure Virtual Desktop (preview).

October 2022
Here's what changed in October 2022:

Background effects for macOS Teams on Azure Virtual

Desktop now generally available
Background effects for Teams on Azure Virtual Desktop is now generally available for
the macOS version of Teams on Azure Virtual Desktop. This feature lets meeting
participants select an available image in Teams to change their background or choose to
blur their background. Background effects are only compatible with version 10.7.10 or
later of the Azure Virtual Desktop macOS client. For more information, see What’s new
in the macOS client.

Host pool deployment support for Azure availability

zones now generally available
We've improved the host pool deployment process. You can now deploy host pools into
up to three availability zones in supported Azure regions. For more information, see our
blog post .

FSLogix version 2210 now in preview

FSLogix version 2210 is now preview. This new version includes new features, bug fixes,
and other improvements. One of the new features is Disk Compaction, which lets you
remove white space in a disk to shrink the disk size. Disk Compaction saves you
significant amounts of storage capacity in the storage spaces where you keep your
FSLogix disks. For more information, see What’s new in FSLogix or the FSLogix Disk
Compaction blog post .

Universal Print for Azure Virtual Desktop now generally

available
The release of Windows 11 22H2 includes an improved printing experience that
combines the benefits of Azure Virtual Desktop and Universal Print for Windows 11
multi-session users. Learn more at Printing on Azure Virtual Desktop using Universal
Print.

September 2022
Here's what changed in September 2022:
Single sign-on and passwordless authentication now in
preview
The ability to enable an Azure Active Directory (AD)-based single sign-on experience
and support for passwordless authentication, using Windows Hello and security devices
(like FIDO2 keys) is now in preview. This feature is available for Windows 10, Windows,
11 and Windows Server 2022 session hosts with the September Cumulative Update
Preview installed. The single sign-on experience is currently compatible with the
Windows Desktop and web clients. For more information, see our blog post .

Connection graphics data logs for Azure Virtual Desktop

now in preview
The ability to collect graphics data for your Azure Virtual Desktop connections through
Azure Log Analytics is now in preview. This data can help administrators understand
factors across the server, client, and network that contribute to slow or choppy
experiences for a user. For more information, see our blog post .

Multimedia redirection enhancements now in preview

An upgraded version of multimedia redirection for Azure Virtual Desktop is now in
preview. We've made various improvements to this version, including more supported
websites, RemoteApp browser support, and enhancements to media controls for better
clarity and one-click tracing. Learn more at Multimedia redirection on Azure Virtual
Desktop (preview) and our blog post .

Grouping costs by Azure Virtual Desktop host pool now

in preview
Microsoft Cost Management has a new feature in preview that lets you group Azure
Virtual Desktop costs with Azure tags by using the cm-resource-parent tag key. Cost
grouping makes it easier to understand and manage costs by host pool. Learn more at
Tag Azure Virtual Desktop resources to manage costs and our blog post .

August 2022
Here's what changed in August 2022:

Azure portal updates

We've made the following updates to the Azure portal:

Improved search, filtering, and performance.

Added Windows Server 2022 images to the image selection list.
Added "Preferred group type" to the "Basics" tab in the host pool creation process.
Enabled custom images for Trusted Launch VMs.
New selectable cards, including the following:
Unavailable machines.
User session.
Removed the "Advanced" tab for the process to add a VM to the host pool.
Removed the storage blob image option from the host pool creation and adding
VM processes.
Bug fixes.
Made the following improvements to the "getting started" setup process:
Unchecked link Azure template.
Removed validation on existing domain admins.

Updates to the preview version of FSLogix profiles for

Azure AD-joined VMs
We've updated the preview version of the Azure Files integration with Azure AD
Kerberos for hybrid identities so that it's now simpler to deploy and manage. The
update should give users using FSLogix user profiles on Azure AD-joined session host
an overall better experience. For more information, see the Azure Files blog post .

Single sign-on and passwordless authentication now in

Windows Insider preview
In the Windows Insider build of Windows 11 22H2, you can now enable a preview
version of the Azure AD-based single sign-on experience. This Windows Insider build
also supports passwordless authentication with Windows Hello and security devices like
FIDO2 keys. For more information, see our blog post .

Universal Print for Azure Virtual Desktop now in Windows

Insider preview
The latest Windows Insider build of Windows 11 22H2 also includes a preview version of
the Universal Print for Azure Virtual Desktop feature. This feature provides an improved
printing experience that combines the benefits of Azure Virtual Desktop and Universal
Print for Windows 11 multi-session users. Learn more at Printing on Azure Virtual
Desktop using Universal Print and our blog post .

Autoscale for pooled host pools now generally available

Autoscale on Azure Virtual Desktop for pooled host pools is now generally available.
This feature is a native automated scaling solution that automatically turns session host
virtual machines on and off according to the schedule and capacity thresholds that you
define to fit your workload. Learn more at How autoscale works and our blog post .

Azure Virtual Desktop with Trusted Launch update

Azure Virtual Desktop now supports provisioning Trusted Launch virtual machines with
custom images stored in an Azure Compute Gallery. For more information, see our blog
post .

July 2022
Here's what changed in July 2022:

Scheduled agent updates now generally available

Scheduled agent updates on Azure Virtual Desktop are now generally available. This
feature gives IT admins control over when the Azure Virtual Desktop agent, side-by-side
stack, and Geneva Monitoring agent get updated. For more information, see our blog
post .

FSLogix 2201 hotfix 2

The FSLogix 2201 hotfix 2 update includes fixes to multi-session VHD mounting, Cloud
Cache meta tracking files, and registry cleanup operations. This update doesn't include
new features. Learn more at What’s new in FSLogix and our blog post .

Japan and Australia metadata service now generally

available
The Azure Virtual Desktop metadata database located in Japan and Australia is now
generally available. This update allows customers to store their Azure Virtual Desktop
objects and metadata within a database located within that geography. For more
information, see our blog post .
Azure Virtual Desktop moving away from Storage Blob
image type
Storage Blob images are created from unmanaged disks, which means they lack the
availability, scalability, and frictionless user experience that managed images and Shared
Image Gallery images offer. As a result, Azure Virtual Desktop will be deprecating
support for Storage Blobs image types by August 22, 2022. For more information, see
our blog post .

Azure Virtual Desktop Custom Configuration changing to

PowerShell
Starting July 21, 2022, Azure Virtual Desktop will replace the Custom Configuration
Azure Resource Manager template parameters for creating host pools, adding session
hosts to host pools, and the Getting Started feature with a PowerShell script URL
parameter stored in a publicly accessible location. This replacement includes the
parameters' respective Azure Resource Manager templates. For more information, see
our blog post .

June 2022
Here's what changed in June 2022:

Australia metadata service in preview

The Azure Virtual Desktop metadata database located in Australia is now in preview.
This allows customers to store their Azure Virtual Desktop objects and metadata within a
database located within our Australia geography, ensuring that the data will only reside
within Australia. For more information, see our blog post .

Intune user configuration for Windows 11 Enterprise

multi-session VMs in preview
Deploying Intune user configuration policies from the Microsoft Intune admin center to
Windows 11 Enterprise multi-session VMs on Azure Virtual Desktop is now in preview. In
this preview, you can configure the following features:

User scope policies using the Settings catalog.

User certificates via Templates.
PowerShell scripts to run in the user context.
For more information, see our blog post .

Teams media optimizations for macOS now generally

available
Teams media optimizations for redirecting audio and video during calls and meetings to
a local macOS machine is now generally available. To use this feature, you need to
update or install, at a minimum, version 10.7.7 of the Azure Virtual Desktop macOS
client. Learn more at Use Microsoft Teams on Azure Virtual Desktop and our blog
post .

May 2022
Here's what changed in May 2022:

Background effects with Teams on Azure Virtual Desktop

now generally available
Users can now make meetings more personalized and avoid unexpected distractions by
applying background effects. Meeting participants can select an available image in
Teams to change their background or choose to blur their background. For more
information, see our blog post .

Multi-window and "Call me with Teams" features now

generally available
The multi-window feature gives users the option to pop out chats, meetings, calls, or
documents into separate windows to streamline their workflow. The "Call me with
Teams" feature lets users transfer a Teams call to their phone. Both features are now
generally available in Teams on Azure Virtual Desktop. For more information, see our
blog post .

Japan metadata service in preview

The Azure Virtual Desktop metadata database located in Japan is now in preview. This
allows customers to store their Azure Virtual Desktop objects and metadata within a
database located within our Japan geography, ensuring that the data will only reside
within Japan. For more information, see our blog post .
FSLogix 2201 hotfix
The latest update for FSLogix 2201 includes fixes to Cloud Cache and container
redirection processes. No new features are included with this update. Learn more at
What’s new in FSLogix and our blog post .

April 2022
Here's what changed in April 2022:

Intune device configuration for Windows multi-session

now generally available
Deploying Intune device configuration policies from the Microsoft Intune admin center
to Windows multi-session VMs on Azure Virtual Desktop is now generally available.
Learn more at Using Azure Virtual Desktop multi-session with Intune and our blog
post .

Scheduled Agent Updates preview

Scheduled Agent Updates is a new feature in preview that lets IT admins specify the
time and day the Azure Virtual Desktop agent, side-by-side stack, and Geneva
Monitoring agent will update. For more information, see our blog post .

RDP Shortpath for public networks now in preview

A new feature for RDP Shortpath is now in preview. With this feature, RDP Shortpath can
provide a direct UDP-based network transport for user sessions over public networks.
Learn more at Azure Virtual Desktop RDP Shortpath for public networks (preview) and
our blog post .

The Azure Virtual Desktop web client has a new URL

Starting April 18, 2022, the Azure Virtual Desktop and Azure Virtual Desktop (classic)
web clients will redirect to a new URL. For more information, see our blog post .

March 2022
Here's what changed in March 2022:
Live Captions with Teams on Azure Virtual Desktop now
generally available
Accessibility has always been important to us, so we're pleased to announce that Teams
for Azure Virtual Desktop now supports real-time captions. Learn how to use live
captions at Use live captions in a Teams meeting . For more information, see our blog
post .

Multimedia redirection enhancements now in preview

An upgraded version of multimedia redirection for Azure Virtual Desktop is now in
preview. We've made various improvements to this version, including more supported
websites and media controls for our users. Learn more at Multimedia redirection for
Azure Virtual Desktop and our blog post .

FSLogix version 2201 is now generally available

FSLogix version 2201 is now generally available. This version includes improved sign-in
and sign-out times, cloud cache performance improvements, and accessibility updates.
For more information, see the FSLogix release notes and our blog post .

February 2022
Here's what changed in February 2022:

Network data for Azure Virtual Desktop user connections

You now collect network data (both round trip time and available bandwidth)
throughout a user’s connection in Azure Virtual Desktop with Azure Log Analytics. For
more information, see our blog post .

Unassigning and reassigning personal desktops now

generally available
The feature that lets you reassign or unassign personal desktops is now generally
available. You can unassign or reassign desktops using the Azure portal or REST API. For
more information, see our blog post .

Teams media optimizations for macOS now in preview

Teams media optimizations for redirecting audio and video during calls and meetings to
a local macOS machine are now in preview. To use this feature, you'll need to update
your Azure Virtual Desktop macOS client to version 10.7.7 or later. For more
information, see our blog post or Use Microsoft Teams on Azure Virtual Desktop.

January 2022
Here's what changed in January 2022:

FSLogix version 2201 preview

FSLogix version 2201 is now in preview. For more information, see our blog post or
the FSLogix release notes.

Migration tool now generally available

The PowerShell commands that migrate metadata from Azure Virtual Desktop (classic)
to Azure Virtual Desktop are now generally available. To learn more about migrating
your existing deployment, see Migrate automatically from Azure Virtual Desktop (classic)
or our blog post .

Increased application group limit

We've increased number of Azure Virtual Desktop application groups you can have on
each Azure Active Directory tenant from 200 to 500. For more information, see our blog
post .

Updates to required URLs

We've updated the required URL list for Azure Virtual Desktop to accommodate Azure
Virtual Desktop agent traffic. For more information, see our blog post .

December 2021
Here's what changed in December 2021:

Azure portal updates

You can now automatically create Trusted Launch virtual machines through the host
pool creation process instead of having to manually create and add them to a host pool
after deployment. To access this feature, select the Virtual machines tab while creating a
host pool. Learn more at Trusted Launch for Azure virtual machines.

Azure Active Directory Join VMs with FSLogix profiles on

Azure Files
Azure Active Directory-joined session hosts for FSLogix profiles on Azure Files in
Windows 10 and 11 multi-session is now in preview. We've updated Azure Files to use a
Kerberos protocol for Azure Active Directory that lets you secure folders in the file share
to individual users. This new feature also allows FSLogix to function within your
deployment without an Active Directory Domain Controller. For more information, check
out our blog post .

Azure Virtual Desktop pricing calculator updates

We've made some significant updates to improve the Azure Virtual Desktop pricing
experience on the Azure pricing calculator, including the following:

You can now calculate costs for any number of users greater than zero.
The calculator now includes storage and networking or bandwidth costs.
We've added new info messages for clarity.
Fixed bugs that affected storage configuration.

For more information, see the pricing calculator .

November 2021
Here's what changed in November 2021:

Azure Virtual Desktop for Azure Stack HCI

Azure Virtual Desktop for Azure Stack HCI is now in preview. This feature is for
customers who need desktop virtualization for apps that have to stay on-premises for
performance and data security reasons. To learn more, see our blog post and the
Azure Virtual Desktop for Azure Stack HCI documentation.

Autoscale preview
We're pleased to introduce the new autoscale feature, which lets you stop or start
session hosts automatically based on a schedule you set. Autoscale lets you optimize
infrastructure costs by configuring your shared or pooled desktops to only charge for
the resources you actually use. You can learn more about the autoscale feature by
reading our documentation and watching our Azure Academy video .

Azure Virtual Desktop starter kit for Power Automate

Your organization can now use the Azure Virtual Desktop starter kit to manage its
robotic process automation (RPA) workloads. Learn more by reading our
documentation.

Tagging with Azure Virtual Desktop

We recently released new documentation about how to configure tags for Azure Virtual
Desktop to track and manage costs. For more information, see Tag Azure Virtual
Desktop resources.

October 2021
Here's what changed in October 2021:

Azure Virtual Desktop support for Windows 11

Azure Virtual Desktop support for Windows 11 is now generally available for single and
multi-session deployments. You can now use Windows 11 images when creating host
pools in the Azure portal. For more information, see our blog post .

RDP Shortpath now generally available

Remote Desktop Protocol (RDP) Shortpath for managed networks is now generally
available. RDP Shortpath establishes a direct connection between the Remote Desktop
client and the session host. This direct connection reduces dependency on gateways,
improves the connection's reliability, and increases the bandwidth available for each
user session. For more information, see our blog post .

Screen capture protection updates

Screen capture protection is now supported on the macOS client and the Azure
Government and Azure operated by 21Vianet clouds. For more information, see our
blog post .

Azure Active Directory domain join

Azure Active Directory domain join for Azure Virtual Desktop VMs is now available in the
Azure Government and Azure operated by 21Vianet clouds. Microsoft Intune is currently
only supported in the Azure Public cloud. Learn more at Deploy Azure AD-joined virtual
machines in Azure Virtual Desktop.

Breaking change in Azure Virtual Desktop Azure Resource

Manager template
A breaking change has been introduced into the Azure Resource Manager template for
Azure Virtual Desktop. If you're using any code that depends on the change, then you
need to follow the directions in our blog post to address the issue.

Autoscale (preview) preview

Autoscale for Azure Virtual Desktop is now in preview. This feature natively turns your
VMs in pooled host pools on or off based on availability needs. Scheduling when your
VMs turn on and off optimizes deployment costs, and this feature also offers flexible
scheduling options based on your needs. Once you've configured the required custom
Role-Based Access Control (RBAC) role, you can start configuring your scaling plan. For
more information, see Autoscale (preview) for Azure Virtual Desktop host pools.

September 2021
Here's what changed in September 2021.

Azure portal updates

You can now use Azure Resource Manager templates for any update you want to apply
to your session hosts after deployment. You can access this feature by selecting the
Virtual machines tab while creating a host pool.

You can also now set host pool, application group, and workspace diagnostic settings
while creating host pools instead of afterwards. Configuring these settings during the
host pool creation process also automatically sets up reporting data for Azure Virtual
Desktop Insights.
Azure Active Directory domain join
Azure Active Directory domain join is now generally available. This service lets you join
your session hosts to Azure Active Directory (Azure AD). Domain join also lets you
autoenroll into Microsoft Intune. You can access this feature in the Azure public cloud,
but not the Government cloud or Azure operated by 21Vianet. For more information,
see our blog post .

Azure operated by 21Vianet

Azure Virtual Desktop is now generally available in the Azure operated by 21Vianet
cloud. For more information, see our blog post .

Automatic migration module tool

With the automatic migration tool, you can move your organization from Azure Virtual
Desktop (classic) to Azure Virtual Desktop with just a few PowerShell commands. This
feature is currently in preview, and you can find out more at Automatic migration.

August 2021
Here's what changed in August 2021:

Windows 11 (Preview) for Azure Virtual Desktop

Windows 11 (Preview) images are now available in the Azure Marketplace for customers
to test and validate with Azure Virtual Desktop. For more information, see our
announcement .

Multimedia redirection is now in preview

Multimedia redirection gives you smooth video playback while watching videos in your
Azure Virtual Desktop web browser and works with Microsoft Edge and Google Chrome.
Learn more at our blog post .

Windows Defender Application Control and Azure Disk

Encryption support
Azure Virtual Desktop now supports Windows Defender Application Control to control
which drivers and applications are allowed to run on Windows VMs, and Azure Disk
Encryption, which uses Windows BitLocker to provide volume encryption for the OS and
data disks of your VMs. For more information, see our announcement .

Signing into Azure Active Directory using smart cards and

Active Directory Federation Services is now supported in
Azure Virtual Desktop
While this isn't a new feature for Azure Active Directory, Azure Virtual Desktop now
supports configuring Active Directory Federation Services to sign in with smart cards.
For more information, see our announcement .

Screen capture protection is now generally available

Prevent sensitive information from being screen captured by software running on the
client endpoints with screen capture protection in Azure Virtual Desktop. Learn more at
our blog post .

July 2021
Here's what changed in July 2021:

Azure Virtual Desktop images now include optimized

Teams
All available images in the Azure Virtual Desktop image gallery that include Microsoft
365 Apps for Enterprise now have the media-optimized version of Teams for Azure
Virtual Desktop pre-installed. For more information, see our announcement .

Azure Active Directory Domain Join for Session hosts is in

preview
You can now join your Azure Virtual Desktop VMs directly to Azure Active Directory
(Azure AD). This feature lets you connect to your VMs from any device with basic
credentials. You can also automatically enroll your VMs with Microsoft Intune. For
certain scenarios, this helps eliminate the need for a domain controller, reduce costs,
and streamline your deployment. Learn more at Deploy Azure AD joined virtual
machines in Azure Virtual Desktop.

FSLogix version 2105 is now available

FSLogix version 2105 is now generally available. This version includes improved sign-in
times and bug fixes that weren't available in the preview version (version 2105). For
more detailed information, you can see the FSLogix release notes and our blog post .

Azure Virtual Desktop in China has entered preview

With Azure Virtual Desktop available in China, we now have more rounded global
coverage that helps organizations support customers in this region with improved
performance and latency. Learn more at our announcement page .

The getting started feature for Azure Virtual Desktop

This feature offers a streamlined onboarding experience in the Azure portal to set up
your Azure Virtual Desktop environment. You can use this feature to create deployments
that meet system requirements for automated Azure Active Directory Domain Services
the simple and easy way. For more information, check out our blog post .

Start VM on connect is now generally available

The start VM on connect feature is now generally available. This feature helps you
optimize costs by letting you turn off deallocated or stopped VMs, letting your
deployment be flexible with user demands. For more information, see Start Virtual
Machine on Connect.

RemoteApp streaming
We recently announced a new pricing option for RemoteApp streaming for using Azure
Virtual Desktop to deliver apps as a service to your customers and business partners. For
example, software vendors can use RemoteApp streaming to deliver apps as a software
as a service (SaaS) solution that's accessible to their customers. To learn more about
RemoteApp streaming, check out our documentation.

New Azure Virtual Desktop handbooks

We recently released four new handbooks to help you design and deploy Azure Virtual
Desktop in different scenarios:

Application Management shows you how to modernize application delivery and

simplify IT management.
 In Disaster Recovery , learn how to strengthen business resilience by developing
a disaster recovery strategy.
Get more value from Citrix investments with the Citrix Cloud with Azure Virtual
Desktop migration guide.
Get more value from existing VMware investments with the VMware Horizon with
Azure Virtual Desktop migration guide.

June 2021
Here's what changed in June 2021:

Windows Virtual Desktop is now Azure Virtual Desktop

To better align with our vision of a flexible cloud desktop and application platform,
we've renamed Windows Virtual Desktop to Azure Virtual Desktop. Learn more at the
announcement post in our blog .

EU, UK, and Canada geographies are now generally

available
Metadata service for the European Union, UK, and Canada is now in general availability.
These new locations are very important to data sovereignty outside the US. For more
information, see our blog post .

The Getting Started tool is now in preview

We created the Azure Virtual Desktop Getting Started tool to make the deployment
process easier for first-time users. By simplifying and automating the deployment
process, we hope this tool helps make adopting Azure Virtual Desktop faster and more
accessible to a wider variety of users. Learn more at our blog post .

Azure Virtual Desktop pricing calculator updates

We've made some significant updates to improve the Azure Virtual Desktop pricing
experience on the Azure pricing calculator, including the following:

We've updated the service name to Azure Virtual Desktop

We also updated the layout with the following new items:
A Storage section with both managed disk and file storage bandwidth
A custom section that shows cost-per-user
You can access the pricing calculator at this page .

Single Sign-on (SSO) using Active Directory Federation

Services (AD FS)
The AD FS single-sign on feature is now generally available. This feature lets customers
use AD FS to give a single sign-on experience for users on the Windows and web clients.
For more information, see Configure AD FS single sign-on for Azure Virtual Desktop.

May 2021
Here's what's new for May 2021:

Smart card authentication

We've now officially released the Key Distribution Center (KDC) Proxy Remote Desktop
Protocol (RDP) properties. These properties enable Kerberos authentication for the RDP
portion of an Azure Virtual Desktop session, which includes permitting Network Level
Authentication without a password. Learn more at our blog post .

The web client now supports file transfer

Starting with the preview version of the web client, version 1.0.24.7 (preview), users can
now transfer files between their remote session and local computer. To upload files to
the remote session, select the upload icon in the menu at the top of the web client
page. To download files, search for Remote Desktop Virtual Drive in the Start menu on
your remote session. After you've opened your virtual drive, just drag and drop your
files into the Downloads folder and the browser will begin downloading the files to your
local computer.

Start VM on connect support updates

Start VM on connect (preview) now supports pooled host pools and the Azure
Government Cloud. To learn more, read our blog post .

Latency improvements for the United Arab Emirates

region
We've expanded our Azure control plane presence to the United Arab Emirates (UAE), so
customers in that region can now experience improved latency. Learn more at our Azure
Virtual Desktop roadmap .

Ending Internet Explorer 11 support

On September 30, 2021, the Azure Virtual Desktop web client will no longer support
Internet Explorer 11. We recommend you start using the Microsoft Edge browser for
your web client and remote sessions instead. For more information, see the
announcement in this blog post .

Microsoft Intune preview

We've started the preview for Microsoft Intune support in Windows 10 Enterprise multi-
session. Intune support lets you manage your Windows 10 VMs with the same tools as
your local devices. Learn more at our Microsoft Endpoint Manger documentation.

FSLogix version 2105 preview

We have released a preview of the latest version of the FSLogix agent. Check out our
blog post for more information and to submit the form you need to access the
preview.

May 2021 updates for Teams for Azure Virtual Desktop

For this update, we resolved an issue that caused the screen to remain black while
sharing video. We also fixed a mismatch in video resolutions between the session client
and the Teams server. Teams on Azure Virtual Desktop should now change resolution
and bit rates based on input from the Teams server.

Azure portal deployment updates

We've made the following updates to the deployment process in the Azure portal:

Added new images (including GEN2) to the drop-down list box of "image" when
creating a new Azure Virtual Desktop session host VM.
You can now configure boot diagnostics for virtual machines when creating a host
pool.
Added a tool tip to the RDP proxy in the advanced host pool RDP properties tab.
 Added an information bubble for the icon path when adding an application from
an MSIX package.
You can no longer do managed boot diagnostics with an unmanaged disk.
Updated the template for creating a host pool in Azure Resource Manager so that
the Azure portal can now support creating host pools with third-party marketplace
images.

Single sign-on using Active Directory Federation Services

preview
We've started a preview for Active Directory Federation Services (AD FS) support for
single sign-on (SSO) per host pool. Learn more at Configure AD FS single sign-on for
Azure Virtual Desktop.

Enterprise-scale support
We've released an updated section of the Cloud Adoption framework for Enterprise-
scale support for Azure Virtual Desktop. For more information, see Enterprise-scale
support for the Azure Virtual Desktop construction set.

Customer adoption kit

We've recently released the Azure Virtual Desktop Customer adoption kit to help
customers and partners set up Azure Virtual Desktop for their customers. You can
download the kit here .

April 2021
Here's what's new for April:

Use the Start VM on Connect feature (preview) in the

Azure portal
You can now configure Start VM on Connect (preview) in the Azure portal. With this
update, users can access their VMs from the Android and macOS clients. To learn more,
see Start VM on Connect.

Required URL Check tool

The Azure Virtual Desktop agent, version 1.0.2944.400 includes a tool that validates
URLs and displays whether the virtual machine can access the URLs it needs to function.
If any required URLs are accessible, the tool lists them so you can unblock them, if
needed. Learn more at Required URL Check tool.

Updates to the Azure portal UI for Azure Virtual Desktop

Here's what changed in the latest update of the Azure portal UI for Azure Virtual
Desktop:

Fixed an issue that caused an error to appear when retrieving the session host
while drain mode is enabled.
Upgraded the Portal SDK to version 7.161.0.
Fixed an issue that caused the resource ID missing error message to appear in the
User Sessions tab.
The Azure portal now shows detailed sub-status messages for session hosts.

April 2021 updates for Teams on Azure Virtual Desktop

Here's what's new for Teams on Azure Virtual Desktop:

Added hardware acceleration for video processing of outgoing video streams for
Windows 10-based clients.
When joining a meeting with both a front facing camera and a rear facing or
external camera, the front facing camera is selected by default.
Resolved an issue that made Teams crash on x86-based machines.
Resolved an issue that caused striations during screen sharing.
Resolved an issue that prevented meeting members from seeing incoming video
or screen sharing.

MSIX app attach is now generally available

MSIX app attach for Azure Virtual Desktop has now come out of preview and is available
to all users. Learn more about MSIX app attach at our TechCommunity
announcement .

The macOS client now supports Apple Silicon and Big Sur
The macOS Azure Virtual Desktop client now supports Apple Silicon and Big Sur. The full
list of updates is available in What's new in the macOS client.
March 2021
Here's what changed in March 2021.

Updates to the Azure portal UI for Azure Virtual Desktop

We've made the following updates to Azure Virtual Desktop for the Azure portal:

We've enabled new availability options (availability set and zones) for the
workflows to create host pools and add VMs.
We've fixed an issue where a host with the "Needs assistance" status appeared as
unavailable. Now the host has a warning icon next to it.
We've enabled sorting for active sessions.
You can now send messages to or sign out specific users on the host details tab.
We've changed the maximum session limit field.
We've added an OU validation path to the workflow to create a host pool.
You can now use the latest version of the Windows 10 image when you create a
personal host pool.

Generation 2 images and Trusted Launch

The Azure Marketplace now has Generation 2 images for Windows 10 Enterprise and
Windows 10 Enterprise multi-session. These images enable you to use Trusted Launch
VMs. Learn more about Generation 2 VMs at Should I create a generation 1 or 2 virtual
machine. To learn how to provision Azure Virtual Desktop Trusted Launch VMs, see our
TechCommunity post .

FSLogix is now preinstalled on Windows 10 Enterprise

multi-session images
Based on customer feedback, we've released a new version of the Windows 10
Enterprise multi-session image that has an unconfigured version of FSLogix already
installed. We hope this makes your Azure Virtual Desktop deployment easier.

Azure Virtual Desktop Insights is now in General

Availability
Azure Virtual Desktop Insights is now generally available to the public. This feature is an
automated service that monitors your deployments and lets you view events, health,
and troubleshooting suggestions in a single place. For more information, see our
documentation or check out our TechCommunity post .

March 2021 updates for Teams on Azure Virtual Desktop

We've made the following updates for Teams on Azure Virtual Desktop:

We've improved video quality performance on calls and 2x2 mode.

We've reduced CPU utilization by 5-10% (depending on CPU generation) by using
hardware offload of video processing (XVP).
Older machines can now use XVP and hardware decoding to display more
incoming video streams smoothly in 2x2 mode.
We've updated the WebRTC stack from M74 to M88 for better AV sync
performance and fewer transient issues.
We've replaced our software H264 encoder with OpenH264 (OSS used in Teams on
the web), which increased the video quality of the outgoing camera.
We enabled 2x2 mode for Teams Server for the general public on March 30. 2x2
mode shows up to four incoming video streams at the same time.

Start VM on Connect preview

The new host pool setting, Start VM on Connect, is now available in preview. This setting
lets you turn on your VMs whenever you need them. If you want to save costs, you need
to deallocate your VMs by configuring your Azure Compute settings. For more
information, check out our blog post and our documentation.

Azure Virtual Desktop Specialty certification

We've released a beta version of the AZ-140 exam that will let you prove your expertise
in Azure Virtual Desktop in Azure. To learn more, check out our TechCommunity post .

February 2021
Here's what changed in February 2021.

Portal experience
We've improved the Azure portal experience in the following ways:

Bulk drain mode on hosts in the session host grid tab.

MSIX app attach is now available for preview.
 Fixed host pool overview info for dark mode.

EU metadata storage now in preview

We're now hosting a preview of the Europe (EU) geography as a storage option for
service metadata in Azure Virtual Desktop. Customers can choose between West or
North Europe when they create their service objects. The service objects and metadata
for the host pools will be stored in the Azure geography associated with each region. To
learn more, read our blog post announcing the preview .

Teams on Azure Virtual Desktop plugin updates

We've improved video call quality on the Azure Virtual Desktop plugin by addressing
the most commonly reported issues, such as when the screen would suddenly go dark
or the video and sound desynchronized. These improvements should increase the
performance of single-video view with active speaker switching. We also fixed an issue
where hardware devices with special characters weren't available in Teams.

January 2021
Here's what changed in January 2021:

New Azure Virtual Desktop offer

New customers save 30 percent on Azure Virtual Desktop computing costs for D-series
and Bs-series virtual machines for up to 90 days when using the native Microsoft
solution. You can redeem this offer in the Azure portal before March 31, 2021. Learn
more at our Azure Virtual Desktop offer page .

networkSecurityGroupRules value change

In the Azure Resource Manager nested template, we changed the default value for
networkSecurityGroupRules from an object to an array. This prevents errors if you use
managedDisks-customimagevm.json without specifying a value for

networkSecurityGroupRules . This wasn't a breaking change and is backward compatible.

FSLogix hotfix update

We’ve released FSLogix, version 2009 HF_01 (2.9.7654.46150) to solve issues in the
previous release (2.9.7621.30127). We recommend you stop using the previous version
and update FSLogix as soon as possible.

For more information, see the release notes in What's new in FSLogix.

Azure portal experience improvements

We've made the following improvements to the Azure portal experience:

You can now add local VM admin credentials directly instead of having to add a
local account created with the Active Directory domain join account credentials.
Users can now list both individual and group assignments in separate tabs for
individual users and groups.
The version number of the Azure Virtual Desktop Agent is now visible in the Virtual
Machine overview for host pools.
Added bulk delete for host pools and application groups.
You can now enable or disable drain mode for multiple session hosts in a host
pool.
Removed the public IP field from the VM details page.

Azure Virtual Desktop Agent troubleshooting

We recently set up the Azure Virtual Desktop Agent troubleshooting guide to help
customers who have encountered common issues.

Microsoft Defender for Endpoint integration

Microsoft Defender for Endpoint integration is now generally available. This feature
gives your Azure Virtual Desktop VMs the same investigation experience as a local
Windows 10 machine. If you're using Windows 10 Enterprise multi-session, Microsoft
Defender for Endpoint supports up to 50 concurrent user connections, giving you the
cost savings of Windows 10 Enterprise multi-session and the confidence of Microsoft
Defender for Endpoint. For more information, check out our blog post .

Azure Security baseline for Azure Virtual Desktop

We've recently published an article about the Azure security baseline for Azure Virtual
Desktop that we'd like to call your attention to. These guidelines include information
about how to apply the Microsoft cloud security benchmark to Azure Virtual Desktop.
The Microsoft cloud security benchmark describes the settings and practices we
recommend you use to secure your cloud solutions on Azure.
December 2020
Here's what changed in December 2020:

Azure Virtual Desktop Insights

The preview for Azure Virtual Desktop Insights is now available. This new feature
includes a robust dashboard built on top of Azure Monitor Workbooks to help IT
professionals understand their Azure Virtual Desktop environments. Check out the
announcement on our blog for more details.

Azure Resource Manager template change

In the latest update, we've removed all public IP address parameter from the Azure
Resource Manager template for creating and provisioning host pools. We highly
recommend you avoid using public IPs for Azure Virtual Desktop to keep your
deployment secure. If your deployment relied on public IPs, you need to reconfigure it
to use private IPs instead, otherwise your deployment won't work properly.

MSIX app attach preview

MSIX app attach is another service that began its preview this month. MSIX app attach is
a service that dynamically presents MSIX applications to your Azure Virtual Desktop
Session host VMs. Check out the announcement on our blog for more details.

Screen capture protection

This month also marked the beginning of the preview for screen capture protection. You
can use this feature to prevent sensitive information from being captured on the client
endpoints. Give screen capture protection a try by going to this page .

Built-in roles
We've added new built-in roles for Azure Virtual Desktop for admin permissions. For
more information, see Built-in roles for Azure Virtual Desktop.

Application group limit increase

We've increased the default application group limit per Azure Active Directory tenant to
200 groups.
November 2020

Azure portal experience

We've fixed two bugs in the Azure portal user experience:

The Desktop application friendly name is no longer overwritten on the "Add VM"
workflow.
The session host tab will now load if session hosts are part of scale sets.

FSLogix client, version 2009

We've released a new version of the FSLogix client with many fixes and improvements.
Learn more at our blog post .

RDP Shortpath preview

RDP Shortpath introduces direct connectivity to your Azure Virtual Desktop session host
using point-to-site and site-to-site VPNs and ExpressRoute. It also introduces the URCP
transport protocol. RDP Shortpath is designed to reduce latency and network hops in
order to improve user experience. Learn more at Azure Virtual Desktop RDP Shortpath.

Az.DesktopVirtualization, version 2.0.1

We've released version 2.0.1 of the Azure Virtual Desktop cmdlets. This update includes
cmdlets that let you manage MSIX App Attach. You can download the new version at
the PowerShell gallery .

Azure Advisor updates

Azure Advisor now has a new recommendation for proximity guidance in Azure Virtual
Desktop, and a new recommendation for optimizing performance in depth-first load
balanced host pools. Learn more at the Azure website .

October 2020
Here's what changed in October 2020:

Improved performance
We've optimized performance by reducing connection latency in the following Azure
geographies:

Switzerland
Canada

Azure Government Cloud availability

The Azure Government Cloud is now generally available. Learn more at our blog post .

Azure Virtual Desktop Azure portal updates

We've made some updates to the Azure Virtual Desktop Azure portal:

Fixed a resourceID error that prevented users from opening the "Sessions" tab.
Streamlined the UI on the "Session hosts" tab.
Fixed the "Defaults," "Usability," and "Restore defaults" settings under RDP
properties.
Made "Remove" and "Delete" functions consistent across all tabs.
The portal now validates app names in the "Add an app" workflow.
Fixed an issue where the session host export data wasn't aligned in the columns.
Fixed an issue where the portal couldn't retrieve user sessions.
Fixed an issue in session host retrieval that happened when the virtual machine
was created in a different resource group.
Updated the "Session host" tab to list both active and disconnected sessions.
The "Applications" tab now has pages.
Fixed an issue where the "requires command line" text didn't display correctly in
the "Application list" tab.
Fixed an issue when the portal couldn't deploy host pools or virtual machines while
using the German-language version of the Shared Image Gallery.

September 2020
Here's what changed in September 2020:

We've optimized performance by reducing connection latency in the following

Azure geographies:
Germany
South Africa (for validation environments only)

We released version 1.2.1364 of the Windows Desktop client for Azure Virtual
Desktop. In this update, we made the following changes:
 Fixed an issue where single sign-on (SSO) didn't work on Windows 7.
Fixed an issue that caused the client to disconnect when a user who enabled
media optimization for Teams tried to call or join a Teams meeting while
another app had an audio stream open in exclusive mode.
Fixed an issue where Teams didn't enumerate audio or video devices when
media optimization for Teams was enabled.
Added a "Need help with settings?" link to the desktop settings page.
Fixed an issue with the "Subscribe" button that happened when using high-
contrast dark themes.

Thanks to the tremendous help from our users, we've fixed two critical issues for
the Microsoft Store Remote Desktop client. We continue to review feedback and fix
issues as we broaden our phased release of the client to more users worldwide.

We've added a new feature that lets you change VM location, image, resource
group, prefix name, network config as part of the workflow for adding a VM to
your deployment in the Azure portal.

IT Pros can now manage hybrid Azure Active Directory-joined Windows 10

Enterprise VMs using Microsoft Intune. To learn more, see our blog post .

August 2020
Here's what changed in August 2020:

We've improved performance to reduce connection latency in the following Azure

regions:
United Kingdom
France
Norway
South Korea

The Microsoft Store Remote Desktop Client is now generally available. This version
of the Microsoft Store Remote Desktop Client is compatible with Azure Virtual
Desktop. We've also introduced refreshed UI flows for improved user experiences.
This update includes fluent design, light and dark modes, and many other exciting
changes. We've also rewritten the client to use the same underlying remote
desktop protocol (RDP) engine as the iOS, macOS, and Android clients. This lets us
deliver new features at a faster rate across all platforms. Download the client .

We fixed an issue in the Teams Desktop client (version 1.3.00.21759) where the
client only showed the UTC time zone in the chat, channels, and calendar. The
 updated client now shows the remote session's time zone instead.

Azure Advisor is now a part of Azure Virtual Desktop. When you access Azure
Virtual Desktop through the Azure portal, you can see recommendations for
optimizing your Azure Virtual Desktop environment. Learn more at Introduction to
Azure Advisor.

Azure CLI now supports Azure Virtual Desktop ( az desktopvirtualization ) to help

you automate your Azure Virtual Desktop deployments. Check out
desktopvirtualization for a list of extension commands.

We've updated our deployment templates to make them fully compatible with the
Azure Virtual Desktop Azure Resource Manager interfaces. You can find the
templates on GitHub .

The Azure Virtual Desktop US Gov portal is now in preview. To learn more, see our
announcement .

July 2020
July was when Azure Virtual Desktop with Azure Resource Management integration
became generally available.

Here's what changed with this new release:

The "Fall 2019 release" is now known as "Azure Virtual Desktop (classic)," while the
"Spring 2020 release" is now just "Azure Virtual Desktop." For more information,
check out this blog post .

To learn more about new features, check out this blog post .

Autoscaling tool update

The latest version of the autoscaling tool that was in preview is now generally available.
This tool uses an Azure Automation account and the Azure Logic App to automatically
shut down and restart session host VMs within a host pool, reducing infrastructure
costs. Learn more at Scale session hosts using Azure Automation.

Azure portal
You can now do the following things with the Azure portal in Azure Virtual Desktop:

Directly assign users to personal desktop session hosts

 Change the validation environment setting for host pools

Diagnostics
We've released some new prebuilt queries for the Log Analytics workspace. To access
the queries, go to Logs and under Category, select Azure Virtual Desktop. Learn more
at Use Log Analytics for the diagnostics feature.

Update for Remote Desktop client for Android

The Remote Desktop client for Android now supports Azure Virtual Desktop
connections. Starting with version 10.0.7, the Android client features a new UI for
improved user experience. The client also integrates with Microsoft Authenticator on
Android devices to enable conditional access when subscribing to Azure Virtual Desktop
workspaces.

The previous version of Remote Desktop client is now called “Remote Desktop 8." Any
existing connections you have in the earlier version of the client will be transferred
seamlessly to the new client. The new client has been rewritten to the same underlying
RDP core engine as the iOS and macOS clients, faster release of new features across all
platforms.

Teams update
We've made improvements to Microsoft Teams for Azure Virtual Desktop. Most
importantly, Azure Virtual Desktop now supports audio and video optimization for the
Windows Desktop client. Redirection improves latency by creating direct paths between
users when they use audio or video in calls and meetings. Less distance means fewer
hops, which makes calls look and sound smoother. Learn more at Use Teams on Azure
Virtual Desktop.

June 2020
Last month, we introduced Azure Virtual Desktop with Azure Resource Manager
integration in preview. This update has lots of exciting new features we'd love to tell you
about. Here's what's new for this version of Azure Virtual Desktop.

Azure Virtual Desktop is now integrated with Azure

Resource Manager
Azure Virtual Desktop is now integrated into Azure Resource Manager. In the latest
update, all Azure Virtual Desktop objects are now Azure Resource Manager resources.
This update is also integrated with Azure role-based access control (Azure RBAC). See
What is Azure Resource Manager? to learn more.

Here's what this change does for you:

Azure Virtual Desktop is now integrated with the Azure portal. This means you can
manage everything directly in the portal, no PowerShell, web apps, or third-party
tools required. To get started, check out our tutorial at Create a host pool with the
Azure portal.

Before this update, you could only publish desktops and applications to individual
users. With Azure Resource Manager, you can now publish resources to Azure
Active Directory groups.

The earlier version of Azure Virtual Desktop had four built-in admin roles that you
could assign to a tenant or host pool. These roles are now in Azure role-based
access control (Azure RBAC). You can apply these roles to every Azure Virtual
Desktop Azure Resource Manager object, which lets you have a full, rich delegation
model.

In this update, you no longer need to run Azure Marketplace or the GitHub
template repeatedly to expand a host pool. All you need to expand a host pool is
to go to your host pool in the Azure portal and select + Add to deploy additional
session hosts.

Host pool deployment is now fully integrated with the Azure Shared Image Gallery.
Shared Image Gallery is a separate Azure service that stores VM image definitions,
including image versioning. You can also use global replication to copy and send
your images to other Azure regions for local deployment.

Monitoring functions that used to be done through PowerShell or the Diagnostics

Service web app have now moved to Log Analytics in the Azure portal. You also
now have two options to visualize your reports. You can run Kusto queries and use
Workbooks to create visual reports.

You're no longer required to complete Azure Active Directory consent to use Azure
Virtual Desktop. In this update, the Azure Active Directory tenant on your Azure
subscription authenticates your users and provides Azure RBAC controls for your
admins.

PowerShell support
We've added new AzWvd cmdlets to the Azure Az PowerShell module with this update.
This new module is supported in PowerShell Core, which runs on .NET Core.

To install the module, follow the instructions in Set up the PowerShell module for Azure
Virtual Desktop.

You can also see a list of available commands at the AzWvd PowerShell reference.

For more information about the new features, check out our blog post .

Additional gateways
We've added a new gateway cluster in South Africa to reduce connection latency.

Microsoft Teams on Azure Virtual Desktop (Preview)

We've made some improvements to Microsoft Teams for Azure Virtual Desktop. Most
importantly, Azure Virtual Desktop now supports audio and visual redirection for calls.
Redirection improves latency by creating direct paths between users when they call
using audio or video. Less distance means fewer hops, which makes calls look and
sound smoother.

To learn more, see our blog post .

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

What's new in the Azure Virtual Desktop
Agent?
Article • 10/18/2024

The Azure Virtual Desktop agent links your session hosts with the Azure Virtual Desktop
service. It acts as the intermediate communicator between the service and the virtual
machines, enabling connectivity.

The Azure Virtual Desktop Agent is updated regularly. New versions of the Azure Virtual
Desktop Agent are installed automatically. When new versions are released, they're
rolled out progressively to session hosts. This process is called flighting and it enables
Microsoft to monitor the rollout in validation environments first.

A rollout might take several weeks before the agent is available in all environments.
Some agent versions might not reach nonvalidation environments, so you might see
multiple versions of the agent deployed across your environments. The Azure Virtual
Desktop Agent updates regularly. This article is where you'll find out about:

The latest updates

New features
Improvements to existing features
Bug fixes

Make sure to check back here often to keep up with new updates.

Latest available versions

Here's information about the Azure Virtual Desktop Agent.

ﾉ Expand table

Release Latest version

Production 1.0.9742.2500

Validation 1.0.9103.2900

 Tip

The Azure Virtual Desktop Agent is automatically installed when adding session
hosts in most scenarios. If you need to install the agent manually, you can
 download it at Register session hosts to a host pool, together with the steps to
install it.

Version 1.0.9742.2500
Published: October 2024

In this update, we've made the following changes:

Fixed an issue relating to app attach expansion from the portal.

General improvements and bug fixes.

Version 1.0.9103.3800
Published: June 2024

In this update, we've made the following changes:

General improvements and bug fixes.

Version 1.0.9103.3700
Published: June 2024

In this update, we've made the following changes:

General improvements and bug fixes.

Version 1.0.9103.2900 (validation)

Published: June 2024

In this update, we've made the following changes:

General improvements and bug fixes.

Version 1.0.9103.2300
Published: June 2024

In this update, we've made the following changes:

 General improvements and bug fixes.

Version 1.0.9103.1000
Published: May 2024

In this update, we've made the following changes:

General improvements and bug fixes.

Version 1.0.8804.1400
Published: April 2024

In this update, we've made the following changes:

Fixed the logic to display deprecated client message.

Enable customers to change relative path while leaving image path the same.

Update app attach packages to fetch and store timestamp info from certificate.

Version 1.0.8431.2300
Published: April 2024

In this update, we've made the following changes:

Fixed an issue with App Attach diagnostics that caused the agent to always report
timeout exceptions. Now the agent only reports timeout exceptions to diagnostics
when app attach registration is unsuccessful.

General improvements and bug fixes.

Version 1.0.8431.1500
Published: March 2024

In this update, we've made the following changes:

General improvements and bug fixes.

Version 1.0.8297.800
Published: February 2024

In this update, we've made the following changes:

General improvements and bug fixes.

Version 1.0.8297.400
Published: January 2024

In this update, we've made the following changes:

General improvements and bug fixes.

Version 1.0.7909.2600
Published: December 2023

In this update, we've made the following changes:

Windows 7 session hosts no longer receive side-by-side stack updates.

General improvements and bug fixes.

Version 1.0.7909.1200
Published: November 2023

In this release, we've made the following change:

General improvements and bug fixes.

Version 1.0.7755.1800
Published: November 2023

In this release, we've made the following change:

General improvements and bug fixes.

Version 1.0.7755.1100
Published: September 2023
In this release, we've made the following change:

Security improvements and bug fixes.

Version 1.0.7539.8300
Published: September 2023

In this release, we've made the following change:

Security improvements and bug fixes.

Version 1.0.7539.5800
Published: September 2023

In this release, we've made the following change:

Security improvements and bug fixes.

Version 1.0.7255.1400
Published: August 2023

In this release, we've made the following change:

Security improvements and bug fixes.

Version 1.0.7255.800
Published: July 2023

In this release, we've made the following changes:

Fixed an issue that would disable the Traversal Using Relay NAT (TURN) health
check when a user disabled the Unified Datagram Protocol (UDP).
Security improvements and bug fixes.

Version 1.0.7033.1401
Published: July 2023

In this release, we've made the following change:

 Security improvements and bug fixes.

Version 1.0.6713.1603
Published: July 2023

In this release, we've made the following change:

Security improvements and bug fixes.

Version 1.0.7033.900
Published: July 2023

In this release, we've made the following change:

General improvements and bug fixes.

Version 1.0.6713.1300/1.0.6713.1600
Published: June 2023

In this release, we've made the following change:

General improvements and bug fixes.

Version 1.0.6713.400
Published: May 2023

In this release, we've made the following changes:

Fixed an issue that made the Remote Desktop Agent incorrectly report Hybrid
Azure Active Directory (AD) Join virtual machines (VMs) as domain-joined.
General improvements and bug fixes.

Version 1.0.6425.1200
Published: May 2023

In this release, we've made the following change:

General improvements and bug fixes.

Version 1.0.6425.300
Published: April 2023

In this release, we've made the following change:

General improvements and bug fixes.

Version 1.0.6298.2100
Published: March 2023

In this release, we've made the following changes:

Health check reliability improved.

Reliability issues in agent upgrade fixed.
VM will be marked unhealthy when health check detects a required URL isn't
unblocked.

Version 1.0.6129.9100
Published: March 2023

In this release, we've made the following change:

General improvements and bug fixes.

Version 1.0.6028.2200
Published: February 2023

In this release, we've made the following changes:

Domain Trust health check is now enabled. When virtual machines fail the Domain
Trust health check, they're now given the Unavailable status.
General improvements and bug fixes.

Version 1.0.5739.9000/1.0.5739.9800
Published: January 2023

７ Note
 You may see version 1.0.5739.9000 or 1.0.5739.9800 installed on session hosts
depending on whether the host pool is configured to be a validation environment.
Version 1.0.5739.9000 was released to validation environments and version
1.0.5739.9800 was released to all other environments.

Normally, all environments receive the same version. However, for this release, we
had to adjust certain parameters unrelated to the Agent to allow this version to roll
out to non-validation environments, which is why the non-validation version
number is higher than the validation version number. Besides those changes, both
versions are the same.

In this release, we've made the following changes:

Added the RDGateway URL to URL Access Check.

Introduced RD Agent provisioning state for new installations.
Fixed error reporting in MSIX App Attach for apps with expired signatures.

Version 1.0.5555.1010
Published: December 2022

This release didn't include any major changes to the agent.

Version 1.0.5555.1008
Published: November 2022

In this release, we've made the following changes:

Increased sensitivity of AppAttachRegister monitor for improved results.

Fixed an error that slowed down Geneva Agent installation.
Version updates for Include Stack.
General improvements and bug fixes.

Version 1.0.5388.1701
Published: August 2022

In this release, we've made the following changes:

Fixed a bug that prevented the Agent MSI from downloading on the first try.
Modified app attach on-demand registration.
 Enhanced the AgentUpdateTelemetry parameter to help with StackFlighting data.
Removed unnecessary WebRTC health check.
Fixed an issue with the RDAgentMetadata parameter.

Version 1.0.5100.1100
Published: August 2022

In this release, we've made the following changes:

Agent first-party extensions architecture completed.

Fixed Teams error related to Azure Virtual Desktop telemetry.
RDAgentBootloader - revision update to 1.0.4.0.
SessionHostHealthCheckReport is now centralized in a NuGet package to be
shared with first-party Teams.
Fixes to AppAttach.

Version 1.0.4739.1000
Published: July 2022

In this release, we've made the following changes:

Report session load to Log Analytics for admins to get information on when
MaxSessionLimit is reached.
Adding AADTenant ID claim to the registration token.
Report closing errors to diagnostics explicitly.

Version 1.0.4574.1600
Published: June 2022

In this release, we've made the following changes:

Fixed broker URL cache to address Agent Telemetry calls.

Fixed some network-related issues.
Created two new mechanisms to trigger health checks.
Other general bug fixes and agent upgrades.

Version 1.0.4230.1600
Published: March 2022

In this release, we've made the following changes:

Fixes an issue with the agent health check result being empty for the first agent
heart beat.
Added Azure VM ID to the WVDAgentHealthStatus Log Analytics table.
Updated the agent's update logic to install the Geneva Monitoring agent sooner.

Version 1.0.4119.1500
Published: February 2022

In this release, we've made the following changes:

Fixes an issue with arithmetic overflow casting exceptions.

Updated the agent to now start the Azure Instance Metadata Service (IMDS) when
the agent starts.
Fixes an issue that caused Sandero name pipe service start ups to be slow when
the VM has no registration information.
General bug fixes and agent improvements.

Version 1.0.4009.1500
Published: January 2022

In this release, we've made the following changes:

Added logging to better capture agent update telemetry.

Updated the agent's Azure Instance Metadata Service health check to be Azure
Stack HCI-friendly.

Version 1.0.3855.1400
Published: December 2021

In this release, we've made the following changes:

Fixes an issue that caused an unhandled exception.

This version now supports Azure Stack HCI by retrieving VM metadata from the
Azure Arc service.
This version now allows built-in stacks to be automatically updated if its version
number is beneath a certain threshold.
 The UrlsAccessibleCheck health check now only gets the URL until the path
delimiter to prevent 404 errors.

Version 1.0.3719.1700
Published: November 2021

In this release, we've made the following changes:

Updated agent error messages.

Fixes an issue with the agent restarting every time the side-by-side stack was
updated.
General agent improvements.

Version 1.0.3583.2600
Published: October 2021

In this release, we've made the following change:

Fixed an issue where upgrading from Windows 10 to Windows 11 disabled the

side-by-side stack.

Version 1.0.3373.2605
Published: September 2021

In this release, we've made the following change:

Fixed an issue with package deregistration getting stuck when using MSIX App
Attach.

Version 1.0.3373.2600
Published: September 2021

In this release, we've made the following changes:

General agent improvements.

Fixes issues with restarting the agent on Windows 7 VMs.
Fixes an issue with fields in the WVDAgentHealthStatus table not showing up
correctly.
Version 1.0.3130.2900
Published: July 2021

In this release, we've made the following changes:

General improvements and bug fixes.

Fixes an issue with getting the host pool path for Intune registration.
Added logging to better diagnose agent issues.
Fixes an issue with orchestration timeouts.

Version 1.0.3050.2500
Published: July 2021

In this release, we've made the following changes:

Updated internal monitors for agent health.

Updated retry logic for stack health.

Version 1.0.2990.1500
Published: April 2021

In this release, we've made the following changes:

Updated agent error messages.

Added an exception that prevents you from installing non-Windows 7 agents on
Windows 7 VMs.
Has updated heartbeat service logic.

Version 1.0.2944.1400
Published: April 2021

In this release, we've made the following changes:

Placed links to the Azure Virtual Desktop Agent troubleshooting guide in the event
viewer logs for agent errors.
Added an additional exception for better error handling.
Added the WVDAgentUrlTool.exe that allows customers to check which required
URLs they can access.
Version 1.0.2866.1500
Published: March 2021

In this release, we've made the following change:

Fixed an issue with the stack health check.

Version 1.0.2800.2802
Published: March 2021

In this release, we've made the following change:

General improvements and bug fixes.

Version 1.0.2800.2800
Published: March 2021

In this release, we've made the following change:

Fixed a reverse connection issue.

Version 1.0.2800.2700
Published: February 2021

In this release, we've made the following change:

Fixed an access denied orchestration issue.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

What's new in the Azure Virtual Desktop
SxS Network Stack?
Article • 11/27/2024

The Azure Virtual Desktop agent links your session hosts with the Azure Virtual Desktop
service. It also includes a component called the SxS Network Stack. The Azure Virtual
Desktop agent acts as the intermediate communicator between the service and the
virtual machines, enabling connectivity. The SxS Network Stack component is required
for users to securely establish reverse server-to-client connections.

The Azure Virtual Desktop SxS Network Stack is updated regularly. New versions of the
Azure Virtual Desktop SxS Network Stack are installed automatically. When new versions
are released, they're rolled out progressively to session hosts. This process is called
flighting and it enables Microsoft to monitor the rollout in validation environments first.

A rollout might take several weeks before the agent is available in all environments.
Some agent versions might not reach nonvalidation environments, so you might see
multiple versions of the agent deployed across your environments.

This article is where you'll find out about:

The latest updates

New features
Improvements to existing features
Bug fixes

Make sure to check back here often to keep up with new updates.

Latest available versions

Here's information about the SxS Network Stack.

ﾉ Expand table

Release Latest version

Production 1.0.2407.05700

Version 1.0.2407.05700
Published: September 2024
In this release, we've made the following changes:

Support for the preview of graphics encoding with HEVC/H.265.

Addressed an issue when using a RemoteApp that could cause the text highlight
color in the File Explorer's address bar to appear incorrectly.

Version 1.0.2404.16760
Published: July 2024

In this release, we've made the following changes:

General improvements and bug fixes mainly around rdpshell and RemoteApp.

Version 1.0.2402.09880
Published: July 2024

In this release, we've made the following changes:

General improvements and bug fixes mainly around rdpshell and RemoteApp.
The default chroma value has been changed from 4:4:4 to 4:2:0.
Reduce chance of progressive update blocking real updates from driver.
Improve user experience when bad credentials are saved.
Improve session switching to avoid hangs.
Update Intune version numbers for the granular clipboard feature.
Bug fixes for RemoteApp V2 decoder.
Bug fixes for RemoteApp.
Fix issue with caps lock state when using the on-screen keyboard.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

What's new in documentation for Azure
Virtual Desktop
Article • 11/04/2024

We update documentation for Azure Virtual Desktop regularly. In this article, we

highlight articles for new features and where there are significant updates to existing
articles. To learn what's new in the service, see What's new for Azure Virtual Desktop.

October 2024
In October 2024, we made the following changes to the documentation:

Published a new article where you can lean about Graphics encoding over the
Remote Desktop Protocol.

Rewrote Multimedia redirection for video playback and calls and added a new
article for Developer integration with multimedia redirection for WebRTC-based
calling apps.

Published a set of new articles for host pools using the session host configuration
management approach and session host update:
Host pool management approaches.
Session host update.
Update session hosts using session host update.
Example diagnostic queries for session host update.
Troubleshoot session host update.

Updated Deploy Azure Virtual Desktop and Add session hosts to a host pool to
include the session host configuration management approach.

Consolidated Remote Desktop client articles per platform into a single article with
a tab per platform and separated legacy Windows clients to their own article.

Reorganized the table of contents into a new structure, changing the way articles
are grouped and displayed. The new structure is designed to make it easier to find
the information you need in the different stages of your journey with Azure Virtual
Desktop.

September 2024
In September 2024, we made the following changes to the documentation:

Updated Enable GPU acceleration for Azure Virtual Desktop for the support of the
High Efficiency Video Coding (HEVC), also known as H.265, which is in preview.

Updated Use Microsoft OneDrive with a RemoteApp, which is generally available.

Published a new article where you can learn What's new in the Azure Virtual
Desktop SxS Network Stack.

August 2024
In August 2024, we made the following changes to the documentation:

Published a new set of documentation to learn about peripheral and resource

redirection and how to configure different classes of redirection:
Peripheral and resource redirection over the Remote Desktop Protocol
Configure audio and video redirection over the Remote Desktop Protocol.
Configure camera, webcam, and video capture redirection over the Remote
Desktop Protocol.
Configure clipboard redirection over the Remote Desktop Protocol.
Configure fixed, removable, and network drive redirection over the Remote
Desktop Protocol.
Configure location redirection over the Remote Desktop Protocol.
Configure Media Transfer Protocol and Picture Transfer Protocol redirection on
Windows over the Remote Desktop Protocol.
Configure printer redirection over the Remote Desktop Protocol.
Configure serial or COM port redirection over the Remote Desktop Protocol.
Configure smart card redirection over the Remote Desktop Protocol.
Configure USB redirection on Windows over the Remote Desktop Protocol.
Configure WebAuthn redirection over the Remote Desktop Protocol.

Updated Set custom Remote Desktop Protocol (RDP) properties on a host pool in
Azure Virtual Desktop to include rewritten steps for Azure PowerShell and added
steps for Azure CLI.

Updated Use Microsoft Teams on Azure Virtual Desktop to include information on

how to publish new Teams as a RemoteApp.

Published a new article for Azure Virtual Desktop on Azure Extended Zones.

Published a new article to Configure the session lock behavior for Azure Virtual
Desktop and updated Configure single sign-on for Azure Virtual Desktop using
 Microsoft Entra ID to include the relevant information.

Published a new article to Onboard Azure Virtual Desktop session hosts to forensic
evidence from Microsoft Purview Insider Risk Management.

Updated Configure the clipboard transfer direction and data types that can be
copied in Azure Virtual Desktop to include the steps for using the Microsoft Intune
settings catalog.

July 2024
In July 2024, there were no significant changes to the documentation.

June 2024
In June 2024, we made the following changes to the documentation:

Published a new article to Configure the default chroma value.

Published two new articles about the Preferred application group type behavior for
pooled host pools and how to Set the preferred application group type for a
pooled host pool.

Added information about TLS 1.3 support in Understanding Azure Virtual Desktop
network connectivity.

Updated Use Microsoft Teams on Azure Virtual Desktop to include New Teams
SlimCore changes.

Added a section to Use cases for Azure Virtual Desktop Insights for how you can
view connection reliability information.

Rewrote Configure RDP Shortpath to include host pool settings and a better flow.

Rewrote Compare Remote Desktop app features across platforms and devices to
include more comprehensive information. This article is shared for Azure Virtual
Desktop, Windows 365, Microsoft Dev Box, Remote Desktop Services, and remote
PC connections.

Combined host pool load balancing information to the single article Configure
host pool load balancing and added Azure CLI steps.

Consolidated information on Azure Virtual Desktop business continuity and

disaster recovery concepts in the product documentation, focusing more on the
 more comprehensive information for Azure Virtual Desktop in the Cloud Adoption
Framework and the Azure Architecture Center.

May 2024
In May 2024, we made the following changes to the documentation:

Published a new article to Configure client device redirection settings for Windows
App and the Remote Desktop app using Microsoft Intune.

Updated the branding of the Getting started feature to Quickstart to match the
Azure portal.

Added the steps to Set up Start VM on Connect using Azure CLI.

April 2024
In April 2024, we made the following changes to the documentation:

Published a new article to Monitor Autoscale operations with Insights in Azure

Virtual Desktop. Integrated with Insights in Azure Virtual Desktop, Autoscale
diagnostic data enables you to monitor scaling operations, identify issues that
need to be fixed, and recognize opportunities to optimize your scaling plan
configuration to save costs.

Updated Azure Virtual Desktop Insights glossary to include a list of gateway region
codes used in Azure Virtual Desktop Insights and the Azure regions they
correspond to.

Updated Watermarking to include the updated policy settings and add steps for
configuring watermarking using Microsoft Intune.

March 2024
In March 2024, we made the following changes to the documentation:

Published a new article to Configure the clipboard transfer direction and types of
data that can be copied between a local device and a remote session.

Published a new article to Migrate MSIX packages from MSIX app attach to app
attach.
 Updated Eligible licenses to use Azure Virtual Desktop to include Windows Server
2022 RDS Subscriber Access License (SAL).

February 2024
In February 2024, we made the following changes to the documentation:

Added guidance for MSIX and Appx package certificates when using MSIX app
attach or app attach. For more information, see MSIX app attach and app attach in
Azure Virtual Desktop.

Consolidated articles for the three Remote Desktop clients available for Windows
into a single article, Connect to Azure Virtual Desktop with the Remote Desktop
client for Windows.

Added Azure CLI guidance to Configure personal desktop assignment.

Updated Drain session hosts for maintenance in Azure Virtual Desktop, including
prerequisites and separating the Azure portal and Azure PowerShell steps into
tabs.

Updated Customize the feed for Azure Virtual Desktop users, including
prerequisite, Azure PowerShell steps, and separating the Azure portal and Azure
PowerShell steps into tabs.

January 2024
In January 2024, we made the following changes to the documentation:

Consolidated articles to Create and assign an autoscale scaling plan for Azure
Virtual Desktop into a single article.

Added PowerShell commands to Create and assign an autoscale scaling plan for
Azure Virtual Desktop.

Removed the separate documentation section for RemoteApp streaming and

combined it with the main Azure Virtual Desktop documentation. Some articles
that were previously only in the RemoteApp section are now discoverable in the
main Azure Virtual Desktop documentation, such as Understand and estimate
costs for Azure Virtual Desktop and Licensing Azure Virtual Desktop.

December 2023
In December 2023, we made the following changes to the documentation:

Published new content for the preview of app attach, which is now available
alongside MSIX app attach. App attach brings many benefits over MSIX app attach,
including assigning applications per user, using the same application package
across multiple host pools, upgrading applications, and being able to run two
versions of the same application concurrently on the same session host. For more
information, see MSIX app attach and app attach in Azure Virtual Desktop.

Updated the article Use Microsoft Teams on Azure Virtual Desktop to include
support for new Teams desktop client on your session hosts.

Updated the article Configure single sign-on for Azure Virtual Desktop using
Microsoft Entra ID authentication to include example PowerShell commands to
help configure single sign-on using Microsoft Entra ID authentication.

November 2023
In November 2023, we made the following changes to the documentation:

Updated articles for the general availability of autoscale for personal host pools.
We also added in support for hibernate (preview). For more information, see
Autoscale scaling plans and example scenarios in Azure Virtual Desktop.

Updated articles for the updated preview of Azure Virtual Desktop on Azure Stack
HCI. You can now deploy Azure Virtual Desktop with your session hosts on Azure
Stack HCI as an integrated experience with Azure Virtual Desktop in the Azure
portal. For more information, see Azure Virtual Desktop on Azure Stack HCI and
Deploy Azure Virtual Desktop.

Updated articles for the general availability of Single sign-on using Microsoft Entra
authentication and In-session passwordless authentication. For more information,
see Configure single sign-on for Azure Virtual Desktop using Microsoft Entra
authentication and In-session passwordless authentication.

Published a new set of documentation for Windows App (preview). You can use
Windows App to connect to Azure Virtual Desktop, Windows 365, Microsoft Dev
Box, Remote Desktop Services, and remote PCs, securely connecting you to
Windows devices and apps. For more information, see Windows App.

October 2023
In October 2023, we made the following changes to the documentation:

Published a new article about the service architecture for Azure Virtual Desktop
and how it provides a resilient, reliable, and secure service for organizations and
users. Most components are Microsoft-managed, but some are customer-
managed. You can learn more at Azure Virtual Desktop service architecture and
resilience.

Updated Connect to Azure Virtual Desktop with the Remote Desktop Web client
and Use features of the Remote Desktop Web client when connecting to Azure
Virtual Desktop for the general availability of the updated user interface for the
Remote Desktop Web client.

September 2023
In September 2023, we made the following changes to the documentation:

Published a new article to Use Microsoft OneDrive with a RemoteApp.

Published a new article to Uninstall and reinstall Remote Desktop Connection

(MSTSC) on Windows 11 23H2.

Published a new article for Azure Virtual Desktop (classic) retirement.

Updated articles for custom images templates general availability:

Custom image templates.
Use Custom image templates to create custom images.
Troubleshoot Custom image templates.

Updated Use Azure Virtual Desktop Insights to monitor your deployment for the
general availability of using the Azure Monitor Agent with Azure Virtual Desktop
Insights.

August 2023
In August 2023, we made the following changes to the documentation:

Updated Administrative template for Azure Virtual Desktop to include being able
to configure settings using the settings catalog in Intune.

Published a new article for Use cases for Azure Virtual Desktop Insights that
includes example scenarios for how you can use Azure Virtual Desktop Insights to
help understand your Azure Virtual Desktop environment.
July 2023
In July 2023, we made the following changes to the documentation:

Updated autoscale articles for the preview of autoscale for personal host pools.
Learn more at Autoscale scaling plans and example scenarios and Create an
autoscale scaling plan.

Updated multimedia redirection articles for the preview of call redirection. Learn
more at Multimedia redirection for video playback and calls in a remote session.

Updated Watermarking for general availability.

Updated Security best practices to include the general availability of Azure

Confidential computing virtual machines with Azure Virtual Desktop.

Updated Set up Private Link with Azure Virtual Desktop for general availability,
made the configuration process clearer, and added commands for Azure
PowerShell and Azure CLI.

Improved the search experience of the table of contents, allowing you to search for
articles by alternative search terms. For example, searching for SSO shows entries
for single sign-on.

June 2023
In June 2023, we made the following changes to the documentation:

Updated Use Azure Virtual Desktop Insights to use the Azure Monitor Agent.

Updated Supported features for Microsoft Teams on Azure Virtual Desktop to

include simulcast, mirror my video, manage breakout rooms, call health panel.

Published a new article to Assign Azure RBAC roles or Microsoft Entra roles to the
Azure Virtual Desktop service principals.

Added Intune to Administrative template for Azure Virtual Desktop.

Updated Configure single sign-on using Azure AD Authentication to include how

to use an Active Directory domain admin account with single sign-on, and
highlight the need to create a Kerberos server object.

May 2023
In May 2023, we made the following changes to the documentation:

New articles for the custom images templates preview:

Custom image templates.
Use Custom image templates to create custom images.
Troubleshoot Custom image templates.

Added how to steps for the Azure portal to configure automatic or direct
assignment type in Configure personal desktop assignment.

Rewrote the article to Create an MSIX image.

April 2023
In April 2023, we made the following changes to the documentation:

New articles for the Azure Virtual Desktop Store app preview:
Connect to Azure Virtual Desktop with the Azure Virtual Desktop Store app for
Windows.
Use features of the Azure Virtual Desktop Store app for Windows.
What's new in the Azure Virtual Desktop Store app for Windows.

Provided guidance on how to Install the Remote Desktop client for Windows on a
per-user basis when using Intune or Configuration Manager.

Documented MSIXMGR tool parameters.

Published a new article to learn What's new in the MSIXMGR tool.

March 2023
In March 2023, we made the following changes to the documentation:

Published a new article for the preview of Uniform Resource Identifier (URI)
schemes with the Remote Desktop client.

Updated Configure personal desktop assignment showing you how to Give session
hosts in a personal host pool a friendly name.

February 2023
In February 2023, we made the following changes to the documentation:
 Updated RDP Shortpath and Configure RDP Shortpath articles with the preview
information for an indirect UDP connection using the Traversal Using Relay NAT
(TURN) protocol with a relay between a client and session host.

Reorganized the table of contents.

Published the following articles for deploying Azure Virtual Desktop:

Tutorial to create and connect to a Windows 11 desktop with Azure Virtual
Desktop.
Create a host pool.
Create an application group, a workspace, and assign users.
Add session hosts to a host pool.

Published an article providing guidance to Apply Zero Trust principles to an Azure

Virtual Desktop deployment.

January 2023
In January 2023, we made the following change to the documentation:

Published a new article for the preview of Watermarking.

Next steps
Learn What's new for Azure Virtual Desktop.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

FSLogix Release Notes
Article • 05/14/2024

FSLogix has two (2) types of releases, feature and hotfix. A feature release has new or
changing functionality to the product, whereas a hotfix release is focused on specific
issues. Depending on the type of issue, we may have multiple hotfixes before a feature
release. Regardless of the of release type, customers are required to install and use the
latest version . For more information, see FSLogix product support.

＂ How to: Download and install FSLogix

FSLogix 2210 hotfix 4 (2.9.8884.27471)

Summary
This is a hotfix release to address known issues and other identified bugs. In addition,
this release brings back the capability to roam a user's Group Policy state which provides
asynchronous policy processing.

） Important

This version provides a comprehensive set of changes to support new Microsoft

Teams in virtual desktop environments.

What's new
2210 hotfix 4 includes the following updates:

Group Policy processing can now occur asynchronously for users during sign-in.
MSIX folders under %LocalAppData%\Packages\<package-name>\ will automatically
get created when an ODFC container is created (new or reset container).
Teams data located in
%LocalAppData%\Publishers\8wekyb3d8bbwe\TeamsSharedConfig will now roam with

the ODFC container.

Fixed issues
2210 hotfix 4 includes the following fixed issues:
 Windows Server 2019 would sometimes fail to query the provisioned AppX
applications for the user during sign-out.
MSIX folders that should not be backed up, would be removed during sign-out
instead of only removing the contents of those folders.
New Microsoft Teams crashes or fails to start in Windows Server 2019.
New Microsoft Teams would display an error during launch with The parameter is
incorrect .

New Microsoft Teams would display an error during launch with Invalid function .
New Microsoft Teams would not on-demand register during sign-in when using
the ODFC container.
New Microsoft Teams would not on-demand register during profile creation and
would not register during future sign-ins, despite being installed.
User-based Group Policy settings would persist in the user's profile after the policy
setting was removed or set to disabled.

File information
Download the following package and follow the installation instructions

Download FSLogix 2210 hotfix 4 (2.9.8884.27471)

FSLogix 2210 hotfix 3 (2.9.8784.63912)

Summary
This is a hotfix release with limited support for various versions of Windows and was
provided to unblock customers running the latest versions of Windows 11 with New
Teams in virtual desktop environments. All customers are urged to replace any
installations of this version with FSLogix 2210 hotfix 4, which provides a complete set of
changes and updates for New Teams.

） Important

Do not use this version, instead download and install 2210 hotfix 4
(2.9.8884.27471).

Changes
 Update: When new Teams is detected, the AppX package is registered for the user
during sign-in using the family name.
Update: During user sign-out, Teams user data/cache located in
%LocalAppData%\Packages\MSTeams_8wekyb3d8bbwe\LocalCache will be saved in the

container.
Fix: Resolved an issue where a virtual machine would reboot unexpectedly as a
result of bug check (various stop codes) when a user's redirects were removed
before sign-out.

FSLogix 2210 hotfix 2 (2.9.8612.60056)

Summary
This is a hotfix release to address known issues and other identified bugs.

Changes
Fix: Resolved an issue where a virtual machine would reboot unexpectedly as a
result of bug check (various stop codes).
Fix: Cloud Cache no longer creates a race condition when multiple threads try
accessing the same tracking file.
Fix: Cloud Cache thread timing has been adjusted to ensure proper file handling
and sanitization.
Fix: Cloud Cache now writes an event log message when a storage provider is
offline when the user signs in.
Fix: Cloud Cache no longer causes a user session to hang while processing I/O.
Fix: Resolved an issue which failed to detach an ODFC container.
Update: Group Policy templates have been updated and re-organized. Read about
the changes in the Group Policy how-to article.

File information
Download the following package and follow the installation instructions

Download FSLogix 2210 hotfix 2 (2.9.8612.60056)

FSLogix 2210 hotfix 1 (2.9.8440.42104)

Summary
This is a hotfix release to address known issues and other identified bugs.

Changes
Setting: Added new configuration setting (RoamIdentity). Allows legacy roaming
for credentials and tokens created by the Web Account Manager (WAM) system.
Fix: Resolved an issue where frxsvc.exe would crash when processing
AppXPackages.
Fix: Resolved issues in handling FileIds associated with OneDrive.
Fix: Resolved an issue with orphaned meta files on Cloud Cache SMB providers.
Fix: Resolved an issue where a pending rename operation would fail because the
target filename was invalid.
Fix: Resolved an issue where user sessions were cleaned up before a proper sign
out.
Fix: Resolved an issue where ODFC incorrectly handled multiple VHDLocations.
Fix: Resolved an issue in how settings are applied for ObjectSpecific configurations.
Fix: Resolved an issue where an ODFC container wouldn't correctly detach during
sign out.
Fix: Resolved an issue where VHD Disk Compaction would fail to cancel correctly
when using Cloud Cache.
Fix: Resolved an issue where ODFC VHD Disk Compaction would fail when
RoamSearch was enabled.
Fix: Resolved an issue where users would be stuck at a black screen as a result of
attempting to empty the Recycle Bin prior to roaming.
Update: Added policy for new RoamIdentity setting.

FSLogix 2210 (2.9.8361.52326)

Summary
This release is focused on three (3) core features, six (6) major bug fixes, and two (2)
updates.

Changes
Feature: Added the ability to compact the user's container during the sign out
phase. For more information, see VHD Disk Compaction.

Feature: Added a new process during the sign out phase, which creates an AppX
package manifest for the user. This manifest is used at sign-in to re-register the
 AppX applications for an improved user experience. This work is on-going as AppX
packages and applications continue to evolve. The focus for this work has been on
the built-in Windows apps (inbox apps).

Feature: FSLogix now roams the users Recycle Bin within the user's container.

） Important

All three (3) of our new features are enabled by default, but have the option
to be disabled.

Fix: Added recursive checks as part of search clean-up activities.

Fix: Registers all provisioned packages when AppxManifest.xml doesn't exist.

Fix: When OneDrive data is stored outside the user's profile, FSLogix correctly
impersonates OneDrive for setting permissions.

Fix: Resolved junction point compatibility issues with App-V.

Fix: RW differencing disks correctly handle disk expansion when SizeInMBs is

increased from a smaller value.

Fix: Cloud Cache now properly honors lock retry count and intervals.

Update: Group Policy templates have new names that align with their registry
settings. New help information indicates where in the registry Group Policy makes
the change. Added version history for newly added settings.

Update: Ensure Azure Storage Account Blob container names correctly adhere to
Azure naming requirements.

FSLogix 2201 hotfix 2 (2.9.8228.50276)

Summary
This update for FSLogix 2201 includes fixes to multi-session VHD mounting, Cloud
Cache meta tracking files, and registry cleanup operations.

Changes
 Resolved an issue that would cause a system crash while reading from meta
tracking files in a Cloud Cache configuration.
Resolved an issue where a sign in would succeed even if when the disk failed to
attach. Most commonly occurs in multi-session environments.
Resolved an issue during profile cleanup where user registry hives would be
removed regardless of the FSLogix local group exclusions.

FSLogix 2201 hotfix 1 (2.9.8171.14983)

Summary
This update for FSLogix 2201 includes fixes to Cloud Cache and container redirection
processes. No new features are included with this update.

Changes
Resolved an issue with Cloud Cache where disk read / write blocking could
potentially create a deadlock to the disk and cause the Virtual Machine to become
unresponsive.
Resolved an issue that would cause a Virtual Machine to crash while removing
profile redirections during the sign out process.

FSLogix 2201 (2.9.8111.53415)

Summary
This update for FSLogix is the latest full featured release. In this version there are, over
30 accessibility related updates, new support for Windows Search in specific versions of
Windows, better handling and tracking of locked VHD(x) containers, and resolved
various issues.

Changes
Fixed issue where the FSLogix Profile Service would crash if it was unable to
communicate with the FSLogix Cloud Cache Service.
The OfficeFileCache folder located at
%LOCALAPPDATA%\Microsoft\Office\16.0\OfficeFileCache is now machine specific
and encrypted so we exclude it from FSLogix containers. Office files located
outside this folder aren't impacted in this update.
Windows Server 2019 version 1809, and newer versions of Windows Server,
natively support per-user search indexes and we recommend you use that native
search index capability. FSLogix Search Indexing is no longer available on those
versions of Windows Server.
Windows 10 Enterprise Multi-session and Windows 11 Enterprise Multi-session
natively support per-user search indexes and FSLogix Search Indexing is no longer
available on those operating systems.
FSLogix now correctly handles cases where the Windows Profile Service refCount
registry value is set to an unexpected value.
Over 30 accessibility related updates have been made to the FSLogix installer and
App Rules Editor.
A Windows event now records when a machine locks a container disk with a
message that looks like "This machine '[HOSTNAME]' is using [USERNAME]'s (SID=
[USER SID]) profile disk. VHD(x): [FILENAME]. This event is generated from the
METADATA file created in the user's profile directory. This file can be ignored, but
not deleted."
Resolved an issue where the DeleteLocalProfileWhenVHDShouldApply registry
setting was ignored in some cases.
Fixed an issue where active user session settings weren't retained if the FSLogix
service was restarted. This was causing some logoffs to fail.
Fixed an issue where FSLogix didn't properly handle sign out events if Profile or
ODFC containers were disabled during the session or per-user/per-group filters
were applied mid-session that excluded the user from the feature. Now FSLogix
sign out related events always occurs based off the FSLogix settings applied at sign
in.
FSLogix no longer attempts to reattach a container disk when the user session is
locked.
Fixed an issue that caused the FSLogix service to crash when reattaching container
disks.
Fixed a Cloud Cache issue that caused IO failures if the session host's storage block
size was smaller than a cloud provider's block size. For optimal performance, we
recommend the session host disk hosting the CCD proxy directory has a physical
block size greater than or equal to the CCD storage provider with the largest block
size.
Fixed a Cloud Cache issue where a timed out read request (network outage,
storage outage, etc.) wasn't handled properly and would eventually fail.
Reduced the chance for a Cloud Cache container disk corruption if a provider is
experiencing connection issues.
Resolved an issue where temporary rule files weren't deleted if rule compilation
failed.
 Previously, the Application masking folder was only created for the user who ran
the installer. With this update, the rules folder is created when the Rules editor is
launched.
Resolved an interoperability issue with large OneDrive file downloads that was
causing some operations to fail.
Fixed an issue where per-user and per-group settings didn't apply if the Profile or
ODFC container wasn't enabled for all users.
Resolved an issue where the Office container session configuration wasn't cleaned
up if a profile fails to load.
Fixed an issue where HKCU App Masking rules using wildcards would fail to apply.
Fixed an issue that caused some sessions configured with an ODFC container to fail
to sign in.
Resolved an issue where the App Rules editor would crash if no assignments were
configured.

Next steps
Download and install FSLogix

Configuration examples

Configure profile containers

What's new in Azure Virtual Desktop
Insights?
Article • 08/02/2024

This article describes the changes we make to each new version of Azure Virtual
Desktop Insights.

If you're not sure which version of Azure Virtual Desktop Insights you're currently using,
you can find it in the bottom-right corner of your Insights page or configuration
workbook. To access your workbook, go to https://aka.ms/azmonwvdi .

Latest available version

The following table shows the latest available version of Azure Virtual Desktop Insights.

ﾉ Expand table

Release Latest version Setup instructions

Public 3.5.0 Use Azure Virtual Desktop Insights to monitor your deployment

How to read version numbers

There are three numbers in each version of Azure Virtual Desktop Insights. Here's what
each number means:

The first number is the major version, and is usually used for major releases.

The second number is the minor version. Minor versions are for backwards-
compatible changes such as new features and deprecation notices.

The third number is the patch version, which is used for small changes that fix
incorrect behavior or bugs.

For example, a release with a version number of 1.2.31 is on the first major release, the
second minor release, and patch number 31.

When one of the numbers is increased, all numbers after it must change, too. One
release has one version number. However, not all version numbers track releases. Patch
numbers can be somewhat arbitrary, for example.
Version 3.5.0
Published: July 1, 2024

In this update, we made the following change:

Connection reliability is generally available.

Version 3.4.0
Published: May 13, 2024

In this update, we made the following changes:

Added Azure Stack HCI core count.

Updated the reliability of the calculation for users per core.

Version 3.3.1
Published: April 29, 2024

In this update, we made the following change:

Introduced previews for connection reliability and autoscale reporting.

Version 3.2.2
Published: February 12, 2024

In this update, we made the following change:

Updated logic for Data Collection Rule (DCR) selection in the Configuration
workbook.
Removed unused performance counters from DCR for data savings.
Removed Terminal Services counters that the Azure Virtual Desktop Insights
workbook no longer uses.

Version 3.2.0
Published: October 9, 2023

In this update, we've made the following changes:

 Updated support for session hosts with multiple Data Collection Rules.
Added additional error impact reporting.

Version 3.1.0
Published: October 2, 2023

In this update, we've made the following change:

Updated configuration workbook to allow users to use existing resource groups for
Azure Monitor Agent configuration.

Version 3.0.0
Published: September 18, 2023

In this update, we've made the following changes:

Azure Monitor Agent based Insights now generally available.

Introduced Insights (Legacy) for support of Log Analytics Agent until end of life.

Version 2.3.4
Published: September 5, 2023

In this update, we've made the following changes:

Fixed configuration workbook experience for Azure Monitor Agent deployment

preview.
Updated connection time reporting for connected time only.

Version 2.3.0
Published: June 5, 2023

In this update, we've made the following change:

Added HCI support and updated diagnostic threshold descriptions.

Version 2.2.0
Published: May 22, 2023
In this update, we've made the following change:

Added reporting support for the shutdown state.

Version 2.1.0
Published: May 1, 2023

In this update, we've made the following change:

Introduced support for the Azure Monitor Agent in preview.

Version 2.0.2
Published: April 3, 2023

In this update, we've made the following change:

Fixed reporting inconsistencies with Overview and User tabs.

Version 2.0.1
Published: March 20, 2023

In this update, we've made the following change:

Improved visualization for the Connection Time graph in the Utilization tab.

Version 2.0.0
Published: March 6, 2023

In this release, we've made the following change:

The Azure Virtual Desktop Insights at scale feature is now generally available.

Version 1.6.1
Published: February 27, 2023

In this release, we've made the following changes:

The Azure Virtual Desktop Insights at scale feature is now generally available.
 Added the version of the OS used on session hosts to the Overview tab.

Version 1.6.0
Published: January 30, 2023

In this release, we've made the following change:

Added idle session reporting to the Utilization tab that visualizes sessions with no
active connections.

Version 1.5.0
Published: January 9, 2023

In this release, we've made the following change:

Added a preview of FSLogix compaction information to the Utilization tab for

reporting as well as a User search capability to the at scale.

Version 1.4.0
Published: October 2022

In this release, we've made the following change:

Added Windows 7 end-of-life reporting for client operating system and a dynamic
notification box as a reminder of the deprecation timeframe for Windows 7
support for Azure Virtual Desktop.

Version 1.3.0
Published: September 2022

In this release, we've made the following changes:

Introduced a preview of at scale reporting for Azure Virtual Desktop Insights to

allow the selection of multiple subscriptions, resource groups, and host pools.

Version 1.2.2
Published: July 2022
In this release, we've made the following change:

Updated checkpoint queries for LaunchExecutable.

Version 1.2.1
Published: June 2022

In this release, we've made the following change:

Updated templates for Configuration Workbook to be available at the gallery

instead of the external GitHub.

Version 1.2.0
Published: May 2022

In this release, we've made the following changes:

Updated language for connection performance to "time to be productive" for

clarity.

Improved and expanded Connection Details flyout panel with additional

information on connection history for selected users.

Added a fix for duplication of some data.

Version 1.1.10
Published: February 2022

In this release, we've made the following change:

We added support for category groups for resource logs.

Version 1.1.8
Published: November 2021

In this release, we've made the following changes:

We added a dynamic check for host pool and workspaces Log Analytics tables to
show instances where diagnostics may not be configured.
 Updated the source table for session history and calculations for users per core.

Version 1.1.7
Published: November 2021

In this release, we've made the following change:

We increased the session host limit to 1000 for the configuration workbook to
allow for larger deployments.

Version 1.1.6
Published: October 2021

In this release, we've made the following change:

We updated contents to reflect change from Windows Virtual Desktop to Azure

Virtual Desktop.

Version 1.1.4
Published: October 2021

In this release, we've made the following change:

We updated data usage reporting in the configuration workbook to include the

agent health table.

Version 1.1.3
Published: September 2021

In this release, we've made the following change:

We updated filtering behavior to make use of resource IDs.

Version 1.1.2
Published: August 2021

In this release, we've made the following change:

 We updated some formatting in the workbooks.

Version 1.1.1
Published: July 2021

In this release, we've made the following change:

We added the Workbooks gallery for quick access to Azure Virtual Desktop related
Azure workbooks.

Version 1.1.0
Published: July 2021

In this release, we've made the following change:

We added a Data Generated tab to the configuration workbook for detailed data
on storage space usage for Azure Virtual Desktop Insights to allow more insight
into Log Analytics usage.

Version 1.0.4
Published: June 2021

In this release, we've made the following change:

We made some changes to formatting and layout for better use of whitespace.

We changed the sort order for User Input Delay details in Host Performance to
descending.

Version 1.0.3
Published: May 2021

In this release, we've made the following change:

We updated formatting to prevent truncation of text.

Version 1.0.2
Published: May 2021

In this release, we've made the following change:

We resolved an issue with user per core calculation in the Utilization tab.

Version 1.0.1
Published: April 2021

In this release, we've made the following change:

We made a formatting update for columns containing sparklines.

Version 1.0.0
Published: March 2021

In this release, we've made the following changes:

We introduced a new visual indicator for high-impact errors and warnings from the
Azure Virtual Desktop agent event log on the host diagnostics page.

We removed five expensive process performance counters from the default

configuration. For more information, see our blog post at Updated guidance on
Azure Virtual Desktop Insights .

The setup process for Windows Event Log for the configuration workbook is now
automated.

The configuration workbook now supports automated deployment of

recommended Windows Event Logs.

The configuration workbook can now install the Log Analytics agent and setting-
preferred workspace for session hosts outside of the resource group's region.

The configuration workbook now has a tabbed layout for the setup process.

We introduced versioning with this update.

Next steps
For the general What's New page, see What's New in Azure Virtual Desktop.
To learn more about Azure Virtual Desktop Insights, see Use Azure Virtual Desktop
Insights to monitor your deployment.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

What's new in the MSIXMGR tool
Article • 12/14/2023

This article provides the release notes for the latest updates to the MSIXMGR tool, which
you use for expanding MSIX-packaged applications into MSIX images for use with Azure
Virtual Desktop.

Latest available version

The following table shows the latest available version of the MSIXMGR tool.

ﾉ Expand table

Release Latest version Download

Public 1.2.0.0 MSIXMGR tool

Version 1.2.0.0
Published: April 18, 2023

In this release, we've made the following changes:

MSIXMGR now supports the expansion of MSIX bundles.

Support for creating a VHD image without the size parameter.
Improved support for creation of MSIX images as CIM files without the need to
provide the VHD size parameter.
Support for apps with long package paths (over 128 characters).

Next steps
To learn more about the MSIXMGR tool, check out these articles:

Using the MSIXMGR tool.

MSIXMGR tool parameters

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

What's new in multimedia redirection?
Article • 10/15/2024

This article has the latest updates for host component of multimedia redirection for
Azure Virtual Desktop.

Latest available version

The following table shows the latest available version of multimedia redirection for
Azure Virtual Desktop. For setup instructions, see Multimedia redirection for video
playback and calls in a remote session.

ﾉ Expand table

Release Latest version Download

Public 1.0.2404.4003 Multimedia redirection

Updates for version 1.0.2404.4003

Published: July 23, 2024

In this release, we've made the following changes:

Fixed a deadlock issue and improved telemetry processing.

Updates for version 1.0.2311.2004

Published: January 23, 2024

In this release, we've made the following changes:

Fixed an issue that affected call redirection.

Fixed an installer log file location issue.
The extension no longer displays error messages for unsupported media formats.

Updates for version 1.0.2309.7002

Published: September 12, 2023

In this release, we've made the following changes:

 Added support for using the Preview version of the extension.
Fixed a memory leak that caused the host to not close.
Added support for providing Telemetry IDs to the extension for customer support
purposes.
Improved call connection reliability.

Updates for version 1.0.2304.12009

Published: June 13, 2023

In this release, we've made the following changes:

Fixed various issues that caused crashes.

Improved telemetry.

Updates for version 1.0.2301.24004

Published: February 7, 2023

In this release, we've made the following changes:

Released general availability-compatible multimedia redirection host.

Fixed an issue where content can cause the service to stop working instead of just
giving a playback error.

Updates for version 0.3.2210.12012

Published: October 13, 2022

In this release, we've made the following changes:

Added telemetry for time to first frame rendered and detecting a possible stall
issue.
Added changes for calling redirection including dual-tone multiple-frequency
(DTMF) tones, and initial support for video.

Next steps
Learn more about multimedia redirection at Multimedia redirection for video playback
and calls in a remote session.
Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

What's new in the Remote Desktop
client for Windows
Article • 11/07/2024

In this article you'll learn about the latest updates for the Remote Desktop client for
Windows. To learn more about using the Remote Desktop client for Windows with Azure
Virtual Desktop, see Connect to Azure Virtual Desktop with the Remote Desktop client
for Windows and Use features of the Remote Desktop client for Windows when
connecting to Azure Virtual Desktop.

There are three versions of the Remote Desktop client for Windows, which are all
supported for connecting to Azure Virtual Desktop:

Standalone download as an MSI installer. This is the most common version of the
Remote Desktop client for Windows.
Azure Virtual Desktop app from the Microsoft Store. This is a preview version of
the Remote Desktop client for Windows.
Remote Desktop app from the Microsoft Store. This version is no longer being
developed.

 Tip

You can also connect to Azure Virtual Desktop with Windows App, a single app to
securely connect you to Windows devices and apps from Azure Virtual Desktop,
Windows 365, Microsoft Dev Box, Remote Desktop Services, and remote PCs. For
more information, see What is Windows App?

 Tip

Select the version of the Remote Desktop client for Windows you want to use with
the buttons at the top of this article.

Supported client versions

The following table lists the current versions available for the public and Insider releases.
To enable Insider releases, see Enable Insider releases.

ﾉ Expand table
 Release Latest version Download

Public 1.2.5709 Windows 64-bit (most common)

Windows 32-bit
Windows ARM64

Insider 1.2.5802 Windows 64-bit (most common)

Windows 32-bit
Windows ARM64

Updates for version 1.2.5802 (Insider)

Date published: November 6, 2024

Download: Windows 64-bit , Windows 32-bit , Windows ARM64

Added list of graphics codecs to the Connection Information dialog.

Fixed an issue where the bottom portion of the Windows Authentication dialog
could be cut off when connected to a RemoteApp.
Fixed an issue where the Connection Information dialog showed the lowest round-
trip time (RTT) instead of average RTT.
Fixed an issue where UDP type was incorrectly reported as "UDP (Private Network)"
for all UDP connections in the Connection Info dialog.

７ Note

This version replaced the Insider versions 1.2.5799, and 1.2.5800. Changes noted
above reflect all changes for these versions.

Updates for version 1.2.5709

Date published: October 8, 2024

Download: Windows 64-bit , Windows 32-bit , Windows ARM64

Fixed an issue for CVE-2024-43533 .

Multimedia redirection call redirection is now generally available.

Updates for version 1.2.5704

Date published: September 18, 2024
 Fixed an issue where initiating a screen capture while Teams is open as a
RemoteApp caused the client to crash.
Fixed an issue where the client crashed for users who have Windows N SKUs
without the media framework.
Addressed an issue that reduces the chance of encountering a low virtual memory
error on reconnect attempts.
Made an improvement where new session windows will not become the focused
windows.
Fixed a bug to ensure that the screen mode id setting in an RDP file is honored.
Fixed issue where Microsoft Teams rendered into the wrong window when multiple
Remote Desktop session windows were open.

７ Note

This version replaced the Insider version 1.2.5702, 1.2.5701, and 1.2.5699. It
contains all changes made in noted versions and was promoted to public on
September 18, 2024.

Updates for version 1.2.5623

Date published: September 4, 2024

Fixed an issue where the client crashed for users who have Windows N SKUs
without the media framework.
Addressed an issue that reduces the chance of encountering a “low virtual
memory” error on reconnect attempts.

７ Note

This hotfix version replaced the public version 1.2.5620 and has the same release
notes with the addition of the the above fixes.

Updates for version 1.2.5620

Date published: August 13, 2024

Fixed an issue for CVE-2024-38131 .

７ Note
 This version replaced the Insider version 1.2.5617 and has the same release notes
with the addition of the security release.

Updates for version 1.2.5560

Date published: August 13, 2024

Fixed an issue for CVE-2024-38131 .

Updates for version 1.2.5617

Date published: July 23, 2024

In this release, we made the following changes:

Stability and security improvements for printer redirections.

Improved experience for SSO Lock Screen dialogs.
Fixed an issue with SSO login failure.
Fixed an issue causing the client to crash on disconnect.

Updates for version 1.2.5559

Date published: July 17, 2024

７ Note

This version replaced 1.2.5552 and has the same release notes.

Updates for version 1.2.5552

Date published: July 2, 2024

In this release, we made the following changes:

Fixed an issue where users who were connecting using protocol launch had to
complete two MFA prompts.

７ Note
 This Insider release was originally version 1.2.5550, but we made a change to
fix an issue with double MFA prompts and re-released as version 1.2.5552.
This version contains all the changes made in 1.2.5550.
This version was released as a public version on July 2, 2024, but was replaced
by version 1.2.5559 on July 17, 2024.

Updates for version 1.2.5550

Date published: June 25, 2024

In this release, we made the following changes:

Fixed an issue where a minimized RemoteApp window will maximize when the lock
screen timer runs out for a RemoteApp session.
Improved usability of the connection bar by reducing the amount of time it
displays on the screen after the mouse moves away.

Updates for version 1.2.5454

Date published: June 11, 2024

In this release, we made the following changes:

Fixed an issue where the client crashed when a session is disconnected.

７ Note

This Insider release was originally version 1.2.5453, but we made this change
and re-released it as version 1.2.5454. This version contains all the changes
made in 1.2.5450, 1.2.5452, and 1.2.5453.

Updates for version 1.2.5453

Date published: June 4, 2024

In this release, we made the following changes:

Fixed an issue where the client crashed when responding to an incoming Microsoft
Teams call.
 ７ Note

This Insider release was originally version 1.2.5452, but we made this change and
re-released it as 1.2.5453. This version contains all of the changes made in 1.2.5450
and 1.2.5452.

Updates for version 1.2.5452

Date published: May 29, 2024

In this release, we made the following changes:

Improved the graphics presentation latency.

７ Note

This Insider release was originally version 1.2.5450, but we made this change and
re-released it as 1.2.5452. This version contains all of the changes made in 1.2.5450.

Updates for version 1.2.5450

Date published: May 21, 2024

In this release, we made the following changes:

When subscribing to feeds via URL, all message states for the status message box
can be announced by screen readers.
When users search for workspaces via URL, they now see the searching status
when entering URL-formatted input and receive an error if results are not found.
Improved error messaging for end users when their saved credentials expire.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.

Updates for version 1.2.5405

Date published: April 17, 2024

In this release, we made the following changes:

 Fixed an issue that made the multifactor authentication (MFA) prompt appear
twice when users tried to connect to a resource
Fixed an issue that caused an extra string to appear next to a user's tenant URL.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.

Updates for version 1.2.5331

Date published: April 18, 2024

In this release, we've made the following changes:

Fixed an issue that caused the RemoteApp window to appear stretched.

When users enter text into the email or URL field to search for a workspace while
subscribing to a feed, screen readers now announce whether the client can find the
workspace.
Fixed an issue that made the MFA prompt appear twice when users tried to
connect to a resource
Fixed an issue that caused an extra string to appear next to a user's tenant URL.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.

７ Note

This release was originally version 1.2.5326, but we made a hotfix after receiving
user reports about issues that affected the MFA prompt and tenant URLs. Version
1.2.5331, which fixes these issues, has replaced version 1.2.5326.

Updates for version 1.2.5255

Date published: March 11, 2024

７ Note

This version includes all the latest updates made in public build 1.2.5252 and
Insider builds 1.2.5248 and 1.2.5126.

In this release, we've made the following change:

 Fixed an issue that caused connections to stop working when users tried to
connect from a Private Network to Azure Virtual Desktop environment.

Updates for version 1.2.5254

Date published: March 6, 2024

７ Note

This version replaced 1.2.5252 and has the same release notes as version 1.2.5112.

Updates for version 1.2.5252

Date published: February 29, 2024

７ Note

This version was released as a Public version on March 5, 2024 but was replaced by
version 1.2.5254 on March 6, 2024.

In this release, we've made the following changes:

Devices no longer go into idle mode when video playback is active.

Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.

Updates for version 1.2.5248

Date published: February 13, 2024

７ Note

This version was an Insiders version that was replaced by version 1.2.5252 and
never released to Public. In this release, we've made the following changes:

Fixed an issue that caused artifacts to appear on the screen during RemoteApp
sessions.
Fixed an issue where resizing the Teams video call window caused the client to
temporarily stop responding.
 Fixed an issue that made Teams calls echo after expanding a two-person call to
meeting call.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.

Updates for version 1.2.5126

Published: January 24, 2024

７ Note

This version was an Insiders version that was replaced by version 1.2.5248 and
never released to Public. In this release, we've made the following changes:

Fixed the regression that caused a display issue when a user selects monitors for
their session.
Made the following accessibility improvements:
Improved screen reader experience.
Greater contrast for background color of the connection bar remote commands
drop-down menu.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.

Updates for version 1.2.5112

Published: February 7, 2024

In this release, we've made the following changes:

Fixed the regression that caused a display issue when a user selects monitors for
their session.

Updates for version 1.2.5105

Published: January 9, 2024

In this release, we've made the following changes:

Fixed the CVE-2024-21307 security vulnerability.

Improved accessibility by making the Change the size of text and apps drop-down
menu more visible in the High Contrast theme.
 Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
Fixed a Teams issue that caused incoming videos to flicker green during meeting
calls.

７ Note

This release was originally 1.2.5102 in Insiders, but we changed the Public version
number to 1.2.5105 after adding the security improvements addressing CVE-2024-
21307 .

Updates for version 1.2.5018

Published: November 20, 2023

７ Note

We replaced this Insiders version with version 1.2.5102. As a result, version 1.2.5018
is no longer available for download.

In this release, we've made the following change:

Improved client logging, diagnostics, and error classification to help admins

troubleshoot connection and feed issues.

Updates for version 1.2.4763

Published: November 7, 2023

In this release, we've made the following changes:

Added a link to the troubleshooting documentation to error messages to help

users resolve minor issues without needing to contact Microsoft Support.
Improved the connection bar user interface (UI).
Fixed an issue that caused the client to stop responding when a user tries to resize
the client window during a Teams video call.
Fixed a bug that prevented the client from loading more than 255 workspaces.
Fixed an authentication issue that allowed users to choose a different account
whenever the client required more interaction.
 Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.

Updates for version 1.2.4677

Published: October 17, 2023

In this release, we've made the following changes:

Added new parameters for multiple monitor configuration when connecting to a

remote resource using the Uniform Resource Identifier (URI) scheme.
Added support for the following languages: Czech (Czechia), Hungarian (Hungary),
Indonesian (Indonesia), Korean (Korea), Portuguese (Portugal), Turkish (Türkiye).
Fixed a bug that caused a crash when using Teams Media Optimization.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.

７ Note

This Insiders release was originally version 1.2.4675, but we made a hotfix for the
vulnerability known as CVE-2023-5217 .

Updates for version 1.2.4583

Published: October 6, 2023

In this release, we've made the following change:

Fixed the CVE-2023-5217 security vulnerability.

Updates for version 1.2.4582

Published: September 19, 2023

In this release, we've made the following changes:

Fixed an issue when using the default display settings and a change is made to the
system display settings, where the bar does not show when hovering over top of
screen after it is hidden.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
 Accessibility improvements:
Narrator now announces the view mode selector as "View combo box", instead
of "Tile view combo box" or "List view combo box".
Narrator now focuses on and announces Learn more hyperlinks.
Keyboard focus is now set correctly when a warning dialog loads.
Tooltip for the close button on the About panel now dismisses when keyboard
focus moves.
Keyboard focus is now properly displayed for certain drop-down selectors in the
Settings panel for published desktops.

７ Note

This release was originally version 1.2.4577, but we made a hotfix after reports that
connections to machines with watermarking policy enabled were failing. Version
1.2.4582, which fixes this issue, has replaced version 1.2.4577.

Updates for version 1.2.4487

Published: July 21, 2023

In this release, we've made the following changes:

Fixed an issue where the client doesn't auto-reconnect when the gateway
WebSocket connection shuts down normally.

Updates for version 1.2.4485

Published: July 11, 2023

In this release, we've made the following changes:

Added a new RDP file property called allowed security protocols. This property
restricts the list of security protocols the client can negotiate.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
Accessibility improvements:
Narrator now describes the toggle button in the display settings side panel as
toggle button instead of button.
Control types for text now correctly say that they're text and not custom.
Fixed an issue where Narrator didn't read the error message that appears after
the user selects Delete.
 Added heading-level description to Subscribe with URL.
Dialog improvements:
Updated file and URI launch dialog error handling messages to be more
specific and user-friendly.
The client now displays an error message after unsuccessfully checking for
updates instead of incorrectly notifying the user that the client is up to date.
Fixed an issue where, after having been automatically reconnected to the
remote session, the connection information dialog gave inconsistent
information about identity verification.

Updates for version 1.2.4419

Published: July 6, 2023

In this release, we've made the following changes:

General improvements to Narrator experience.

Fixed an issue that caused the text in the message for subscribing to workspaces to
be cut off when the user increases the text size.
Fixed an issue that caused the client to sometimes stop responding when
attempting to start new connections.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.

Updates for version 1.2.4337

Published: June 13, 2023

In this release, we've made the following changes:

Fixed the vulnerability known as CVE-2023-29362 .

Fixed the vulnerability known as CVE-2023-29352 .

Updates for version 1.2.4331

Published: June 6, 2023

In this release, we've made the following changes:

Improved connection bar resizing so that resizing the bar to its minimum width
doesn't make its buttons disappear.
Fixed an application compatibility issue that affected preview versions of Windows.
 Moved the identity verification method from the lock window message in the
connection bar to the end of the connection info message.
Changed the error message that appears when the session host can't reach the
authenticator to validate a user's credentials to be clearer.
Added a reconnect button to the disconnect message boxes that appear whenever
the local PC goes into sleep mode or the session is locked.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.

Updates for version 1.2.4240

Published: May 16, 2023

In this release, we've made the following changes:

Fixed an issue where the connection bar remained visible on local sessions when
the user changed their contrast themes.
Made minor changes to connection bar UI, including improved button sizing.
Fixed an issue where the client stopped responding if closed from the system tray.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.

Updates for version 1.2.4159

Published: May 9, 2023

In this release, we've made the following changes:

Redesigned the connection bar for session desktops.

Fixed an issue that caused the client to report misleading or incorrect ErrorCode
0x108 error logs.
Fixed an issue that made the client sometimes drop connections if doing
something like using a Smart Card made the connection take a long time to start.
Fixed a bug where users aren't able to update the client if the client is installed
with the flags ALLUSERS=2 and MSIINSTALLPERUSER=1
Fixed an issue that made the client disconnect and display error message
0x3000018 instead of showing a prompt to reconnect if the endpoint doesn't let
users save their credentials.
Fixed the vulnerability known as CVE-2023-28267 .
Fixed an issue that generated duplicate Activity IDs for unique connections.
 Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
Fixed an application compatibility issue for preview versions of Windows.

Updates for version 1.2.4066

Published: March 28, 2023

In this release, we've made the following changes:

General improvements to Narrator experience.

Fixed a bug that caused the client to stop responding when disconnecting from
the session early.
Fixed a bug that caused duplicate error messages to appear while connected to an
Azure Active Directory-joined host using the new Remote Desktop Services (RDS)
Azure Active Directory (Azure AD) Auth protocol.
Fixed a bug that caused scale resolution options to not display in display settings
for session desktops.
Disabled UPnP for non-Insiders customers after reports of connectivity issues.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
Updates to multimedia redirection for Azure Virtual Desktop, including the
following:
Fixed an issue that caused multimedia redirection for Azure Virtual Desktop to
not load for the ARM64 version of the client.
Updates to Teams for Azure Virtual Desktop, including the following:
Fixed an issue that caused the application window sharing to freeze or show a
black screen in scenarios with Topmost window occlusions.
Fixed an issue that caused Teams media optimizations for Azure Virtual Desktop
to not load for the ARM64 version of the client.

７ Note

This release was originally version 1.2.4065, but we made a hotfix after reports that
UPnP was causing connectivity issues. version 1.2.4066 has replaced the previous
version and has disabled UPnP.

Updates for version 1.2.3918

Published: February 7, 2023
In this release, we've made the following changes:

Fixed a bug where refreshes increased memory usage.

Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
Updates to Teams for Azure Virtual Desktop, including the following:
Bug fix for Background Effects persistence between Teams sessions.
Updates to multimedia redirection for Azure Virtual Desktop, including the
following:
Various bug fixes for multimedia redirection video playback redirection.
Multimedia redirection for Azure Virtual Desktop is now generally available.

） Important

This is the final version of the Remote Desktop client with Windows 7 support. After
this version, if you try to use the Remote Desktop client with Windows 7, it may not
work as expected. For more information about which versions of Windows the
Remote Desktop client currently supports, see Prerequisites.

Updates for version 1.2.3770

Published: December 14, 2022

In this release, we've made the following changes:

Fixed an issue where the app sometimes entered an infinite loop while
disconnecting.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
Updates to Teams for Azure Virtual Desktop, including the following:
Fixed an issue that caused the incorrect rendering of an incoming screen share
when using an ultrawide (21:9) monitor.

Updates for version 1.2.3667

Published: November 30, 2022

In this release, we've made the following changes:

Added User Datagram Protocol support to the client's ARM64 platform.

 Fixed an issue where the tooltip didn't disappear when the user moved the mouse
cursor away from the tooltip area.
Fixed an issue where the application crashes when calling reset manually from the
command line.
Fixed an issue where the client stops responding when disconnecting, which
prevents the user from launching another connection.
Fixed an issue where the client stops responding when coming out of sleep mode.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.

Updates for version 1.2.3577

Published: October 10, 2022

In this release, we've made the following change:

Fixed a bug related to tracing that was blocking reconnections.

Updates for version 1.2.3576

Published: October 6, 2022

In this release, we've made the following change:

Fixed a bug that affected users of some third-party plugins.

Updates for version 1.2.3575

Published: October 4, 2022

In this release, we've made the following change:

Fixed an issue that caused unexpected disconnects in certain RemoteApp

scenarios.

Updates for version 1.2.3574

Published: October 4, 2022

In this release, we've made the following changes:

 Added banner warning users running client on Windows 7 that support for
Windows 7 will end starting January 10, 2023.
Added page to installer warning users running client on Windows 7 that support
for Windows 7 will end starting January 10, 2023.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
Updates to Multimedia redirection for video playback and calls in a remote session
including the following:
Multimedia redirection now works on a browser published as a RemoteApp and
supports up to 30 sites.
Multimedia redirection introduces better diagnostic tools with the new status
icon and one-click Tracelog.

Updates for version 1.2.3497

Published: September 20, 2022

In this release, we've made the following changes:

Accessibility improvements through increased color contrast in the virtual desktop

connection blue bar.
Updated connection information dialog to distinguish between Websocket
(renamed from TCP), RDP Shortpath for managed networks, and RDP Shortpath for
public networks.
Fixed bugs.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
Updates to Teams for Azure Virtual Desktop, including the following:
Fixed an issue that caused calls to disconnect when using a microphone with a
high sample rate (192 kbps).
Resolved a connectivity issue with older RDP stacks.

Updates for version 1.2.3496

Published: September 8, 2022

In this release, we've made the following change:

Reverted to version 1.2.3401 build to avoid a connectivity issue with older RDP
stacks.
Updates for version 1.2.3401
Published: August 2, 2022

In this release, we've made the following changes:

Fixed an issue where the narrator was announcing the tenant expander button as
on or off instead of expanded or collapsed.
Fixed an issue where the text size didn't change when the user adjusted the text
size system setting.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.

Updates for version 1.2.3317

Published: July 12, 2022

In this release, we've made the following change:

Fixed the vulnerability known as CVE-2022-30221 .

Updates for version 1.2.3316

Published: July 6, 2022

In this release, we've made the following changes:

Fixed an issue where the service couldn't render RemoteApp windows while
RemoteFX Advanced Graphics were disabled.
Fixed an issue that happened when a user tried to connect to an Azure Virtual
Desktop endpoint while using the Remote Desktop Services Transport Layer
Security protocol (RDSTLS) with CredSSP disabled, which caused the Windows
Desktop client to not prompt the user for credentials. Because the client couldn't
authenticate, it would get stuck in an infinite loop of failed connection attempts.
Fixed an issue that happened when users tried to connect to an Azure Active
Directory (Azure AD)-joined Azure Virtual Desktop endpoint from a client machine
joined to the same Azure AD tenant while the Credential Security Support Provider
protocol (CredSSP) was disabled.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
Updates to Teams for Azure Virtual Desktop, including the following:
Better noise suppression during calls.
 A diagnostic overlay now appears when you press Shift+Ctrl+Semicolon (;)
during calls. The diagnostic overlay only works with version 1.17.2205.23001 or
later of the Remote Desktop WebRTC Redirector Service. You can download the
latest version of the service here .

Updates for version 1.2.3213

Published: June 2, 2022

In this release, we've made the following changes:

Reduced flicker when application is restored to full-screen mode from minimized

state in single-monitor configuration.
The client now shows an error message when the user tries to open a connection
from the UI, but the connection doesn't launch.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
Updates to Teams for Azure Virtual Desktop, including the following:
The new hardware encoding feature increases the video quality (resolution and
framerate) of the outgoing camera during Teams calls. Because this feature uses
the underlying hardware on the PC and not just software, we're being extra
careful to ensure broad compatibility before turning the feature on by default
for all users. Therefore, this feature is currently off by default. To get an early
preview of the feature, you can enable it on your local machine by creating a
registry key at
Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server
Client\Default\AddIns\WebRTC Redirector\UseHardwareEncoding as a
DWORD value and setting it to 1. To disable the feature, set the key to 0.

Updates for version 1.2.3130

Published: May 10, 2022

In this release, we've made the following changes:

Fixed the vulnerability known as CVE-2022-22017 .

Fixed the vulnerability known as CVE-2022-26940 .
Fixed the vulnerability known as CVE-2022-22015 .
Fixed an issue where the Class Identifier (CLSID)-based registration of the dynamic
virtual channel (DVC) plug-in wasn't working.
Updates for version 1.2.3128
Published: May 3, 2022

In this release, we've made the following changes:

Improved Narrator application experience.

Accessibility improvements.
Fixed a regression that prevented subsequent connections after reconnecting to an
existing session with the group policy object (GPO) User
Configuration\Administrative Templates\System\Ctrl+Alt+Del Options\Remove
Lock Computer enabled.
Added an error message for when a user selects a credential type for smart card or
Windows Hello for Business but the required smart card redirection is disabled in
the RDP file.
Improved diagnostic for User Data Protocol (UDP)-based Remote Desktop Protocol
(RDP) transport protocols.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
Updates to Teams for Azure Virtual Desktop, including updating the WebRTC stack
from version M88 to M98. M98 provides better reliability and performances when
making audio and video calls.

Updates for version 1.2.3004

Published: March 29, 2022

In this release, we've made the following changes:

Fixed an issue where Narrator didn't announce grid or list views correctly.
Fixed an issue where the msrdc.exe process might take a long time to exit after
closing the last Azure Virtual Desktop connection if customers have set a very
short token expiration policy.
Updated the error message that appears when users are unable to subscribe to
their feed.
Updated the disconnect dialog boxes that appear when the user locks their remote
session or puts their local computer in sleep mode to be only informational.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
Multimedia redirection for Azure Virtual Desktop now has an update that gives it
more site and media control compatibility.
Improved connection reliability for Teams on Azure Virtual Desktop.
Updates for version 1.2.2927
Published: March 15, 2022

In this release, we've made the following change:

Fixed an issue where the number pad didn't work on initial focus.

Updates for version 1.2.2925

Published: March 8, 2022

In this release, we've made the following changes:

Fixed the vulnerability known as CVE-2022-21990 .

Fixed the vulnerability known as CVE-2022-24503 .
Fixed an issue where background updates could close active remote connections.

Updates for version 1.2.2924

Published: February 23, 2022

In this release, we've made the following changes:

The Desktop client now supports Ctrl+Alt+arrow key keyboard shortcuts during
desktop sessions.
Improved graphics performance with certain mouse types.
Fixed an issue that caused the client to randomly crash when something ends a
RemoteApp connection.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
Updates to Teams for Azure Virtual Desktop, including the following:
The background blur feature is rolling out this week for Windows endpoints.
Fixed an issue that caused the screen to turn black during Teams video calls.

Updates for version 1.2.2860

Published: February 15, 2022

In this release, we've made the following changes:

Improved stability of Azure Active Directory authentication.

 Fixed an issue that was preventing users from opening multiple .RDP files from
different host pools.

Updates for version 1.2.2851

Published: January 25, 2022

In this release, we've made the following changes:

Fixed an issue that caused a redirected camera to give incorrect error codes when
camera access was restricted in the Privacy settings on the client device. This
update should give accurate error messages in apps using the redirected camera.
Fixed an issue where the Azure Active Directory credential prompt appeared in the
wrong monitor.
Fixed an issue where the background refresh and update tasks were repeatedly
registered with the task scheduler, which caused the background and update task
times to change without user input.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
Updates to Teams for Azure Virtual Desktop, including the following:
In September 2021 we released a preview of our GPU render path optimizations
but defaulted them off. After extensive testing, we've now enabled them by
default. These GPU render path optimizations reduce endpoint-to-endpoint
latency and solve some performance issues. You can manually disable these
optimizations by setting the registry key HKEY_CURRENT_USER
\SOFTWARE\Microsoft\Terminal Server Client\IsSwapChainRenderingEnabled
to 00000000.

Updates for version 1.2.2691

Published: January 12, 2022

In this release, we've made the following changes:

Fixed the vulnerability known as CVE-2019-0887 .

Fixed the vulnerability known as CVE-2022-21850 .
Fixed the vulnerability known as CVE-2022-21851 .
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.

Updates for version 1.2.2688

Published: December 9, 2021

In this release, we've made the following change:

Fixed an issue where some users were unable to subscribe using the subscribe
with URL option after updating to version 1.2.2687.0.

Updates for version 1.2.2687

Published: December 2, 2021

In this release, we've made the following changes:

Improved manual refresh functionality to acquire new user tokens, which ensures
the service can accurately update user access to resources.
Fixed an issue where the service sometimes pasted empty frames when a user tried
to copy an image from a remotely running Internet Explorer browser to a locally
running Word document.
Fixed the vulnerability known as CVE-2021-38665 .
Fixed the vulnerability known as CVE-2021-38666 .
Fixed the vulnerability known as CVE-2021-1669 .
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
Fixed a usability issue where the Windows Desktop client would sometimes
prompt for a password (Azure Active Directory prompt) after the device went into
sleep mode.
Fixed an issue where the client didn't automatically expand and display interactive
sign-in messages set by admins when a user signs in to their virtual machine.
Fixed a reliability issue that appeared in version 1.2.2686 where the client stopped
responding when users tried to launch new connections.
Updates to Teams for Azure Virtual Desktop, including the following:
The notification volume level on the client device is now the same as the host
device.
Fixed an issue where the device volume was low in Azure Virtual Desktop
sessions
Fixed a multi-monitor screen sharing issue where screen sharing didn't appear
correctly when moving from one monitor to the other.
Resolved a black screen issue that caused screen sharing to incorrectly show a
black screen sometimes.
Increased the reliability of the camera stack when resizing the Teams app or
turning the camera on or off.
 Fixed a memory leak that caused issues like high memory usage or video
freezing when reconnecting with Azure Virtual Desktop.
Fixed an issue that caused Remote Desktop connections to stop responding.

Updates for version 1.2.2606

Published: November 9, 2021

In this release, we've made the following changes:

Fixed the vulnerability known as CVE-2021-38665 .

Fixed the vulnerability known as CVE-2021-38666 .
Fixed an issue where the service sometimes pasted empty frames when a user tried
to copy an image from a remotely running Internet Explorer browser to a locally
running Word document.

Updates for version 1.2.2600

Published: October 26, 2021

In this release, we've made the following changes:

Updates to Teams for Azure Virtual Desktop, including improvements to camera

performance during video calls.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.

Updates for version 1.2.2459

Published: September 28, 2021

In this release, we've made the following changes:

Improved client logging, diagnostics, and error classification to help admins

troubleshoot connection and feed issues.
Fixed an issue that caused the client to prompt for credentials a second time after
closing a credential prompt window while subscribing.
Updates to Teams for Azure Virtual Desktop, including the following:
Fixed an issue in that made the video screen turn black and crash during calls in
the Chrome browser.
Reduced E2E latency and some performance issues by optimizing the GPU
render path in the Windows Desktop client. To enable the new render path, add
 the registry key HKEY_CURRENT_USER \SOFTWARE\Microsoft\Terminal Server
Client\IsSwapChainRenderingEnabled and set its value to 00000001. To disable
the new render path and revert to the original path, either set the key's value to
00000000 or delete the key.

Updates for version 1.2.2322

Published: August 24, 2021

In this release, we've made the following changes:

Improved client logging, diagnostics, and error classification to help admins

troubleshoot connection and feed issues.
Added updates to Teams on Azure Virtual Desktop, including:
Fixed an issue that caused the screen to turn black when Direct X wasn't
available for hardware decoding.
Fixed a software decoding and camera preview issue that happened when
falling back to software decode.
Multimedia redirection for Azure Virtual Desktop is now in preview.

Updates for version 1.2.2223

Published: August 10, 2021

In this release, we've made the following change:

Fixed the security vulnerability known as CVE-2021-34535 .

Updates for version 1.2.2222

Published: July 27, 2021

In this release, we've made the following changes:

The client also updates in the background when the auto-update feature is
enabled, no remote connection is active, and msrdcw.exe isn't running.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
Fixed an ICE inversion parameter issue that prevented some Teams calls from
connecting.
Updates for version 1.2.2130
Published: June 22, 2021

In this release, we've made the following changes:

Windows Virtual Desktop has been renamed to Azure Virtual Desktop. Learn more
about the name change at our announcement on our blog .
Fixed an issue where the client would ask for authentication after the user ended
their session and closed the window.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
Fixed an issue with Logitech C270 cameras where Teams only showed a black
screen in the camera settings and while sharing images during calls.

Updates for version 1.2.2061

Published: May 25, 2021

In this release, we've made the following changes:

Improved client logging, diagnostics, and error classification to help admins

troubleshoot connection and feed issues.
Updates to Teams on Azure Virtual Desktop, including the following:
Resolved a black screen video issue that also fixed a mismatch in video
resolutions with Teams Server.
Teams on Azure Virtual Desktop now changes resolution and bitrate in
accordance with what Teams Server expects.

Updates for version 1.2.1954

Published: May 13, 2021

In this release, we've made the following change:

Fixed the vulnerability known as CVE-2021-31186 .

Updates for version 1.2.1953

Published: May 6, 2021

In this release, we've made the following changes:

 Fixed an issue that caused the client to crash when users selected Disconnect all
sessions in the system tray.
Fixed an issue where the client wouldn't switch to full screen on a single monitor
with a docking station.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
Updates to Teams on Azure Virtual Desktop, including the following:
Added hardware acceleration for video processing outgoing video streams for
Windows 10-based clients.
When joining a meeting with both a front-facing and rear-facing or external
camera, the front-facing camera will be selected by default.
Fixed an issue that made Teams on Azure Virtual Desktop crash while loading
on x86-based machines.
Fixed an issue that caused striations during screen sharing.
Fixed an issue that prevented some people in meetings from seeing incoming
video or screen sharing.

Updates for version 1.2.1844

Published: March 23, 2021

In this release, we've made the following changes:

Updated background installation functionality to perform silently for the client

auto-update feature.
Fixed an issue where the client forwarded multiple attempts to launch a desktop to
the same session. Depending on your group policy configuration, the session host
can now allow the creation of multiple sessions for the same user on the same
session host or disconnect the previous connection by default. This behavior
wasn't consistent before version 1.2.1755.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
Updates for Teams on Azure Virtual Desktop, including the following:
We've offloaded video processing (XVP) to reduce CPU utilization by 5-10%
(depending on CPU generation). Combined with the hardware decode feature
from February's update, we've now reduced the total CPU utilization by 10-20%
(depending on CPU generation).
We've added XVP and hardware decode, which allows older machines to display
more incoming video streams smoothly in 2x2 mode.
We've also updated the WebRTC stack from version M74 to M88. M88 has
better reliability, AV sync performance, and fewer transient issues.
 We've replaced our software H264 encoder with OpenH264. OpenH264 is an
open-source codec that increases video quality of the outgoing camera stream.
The client now has simultaneous shipping with 2x2 mode. 2x2 mode shows up
to four incoming video streams simultaneously.

Updates for version 1.2.1755

Published: February 23, 2021

In this release, we've made the following changes:

Added the Experience Monitor access point to the system tray icon.
Fixed an issue where entering an email address into the Subscribe to a Workplace
tab caused the application to stop responding.
Fixed an issue where the client sometimes didn't send Event Hubs and Diagnostics
events.
Updates to Teams on Azure Virtual Desktop, including:
Improved audio and video sync performance and added hardware accelerated
decode that decreases CPU utilization on the client.
Addressed the most prevalent causes of black screen issues when a user joins a
call or meeting with their video turned on, when a user performs screen sharing,
and when a user toggles their camera on and off.
Improved quality of active speaker switching in single video view by reducing
the time it takes for the video to appear and reducing intermittent black screens
when switching video streams to another user.
Fixed an issue where hardware devices with special characters would sometimes
not be available in Teams.

Updates for version 1.2.1672

Published: January 26, 2021

In this release, we've made the following changes:

Added support for the screen capture protection feature for Windows 10
endpoints. To learn more, see Session host security best practices.
Added support for proxies that require authentication for feed subscription.
The client now shows a notification with an option to retry if an update didn't
successfully download.
Addressed some accessibility issues with keyboard focus and high-contrast mode.
Updates for version 1.2.1525
Published: December 1, 2020

In this release, we've made the following changes:

Added List view for remote resources so that longer app names are readable.
Added a notification icon that appears when an update for the client is available.

Updates for version 1.2.1446

Published: October 27, 2020

In this release, we've made the following changes:

Added the auto-update feature, which allows the client to install the latest updates
automatically.
The client now distinguishes between different feeds in the Connection Center.
Fixed an issue where the subscription account doesn't match the account the user
signed in with.
Fixed an issue where some users couldn't access a RemoteApp through a
downloaded file.
Fixed an issue with Smartcard redirection.

Updates for version 1.2.1364

Published: September 22, 2020

In this release, we've made the following changes:

Fixed an issue where single sign-on (SSO) didn't work on Windows 7.

Fixed the connection failure that happened when calling or joining a Teams call
while another app has an audio stream opened in exclusive mode and when media
optimization for Teams is enabled.
Fixed a failure to enumerate audio or video devices in Teams when media
optimization for Teams is enabled.
Added a Need help with settings? link to the desktop settings page.
Fixed an issue with the Subscribe button that happened when using high-contrast
dark themes.

Updates for version 1.2.1275

Published: August 25, 2020

In this release, we've made the following changes:

Added functionality to auto-detect sovereign clouds from the user’s identity.

Added functionality to enable custom URL subscriptions for all users.
Fixed an issue with app pinning on the feed taskbar.
Fixed a crash when subscribing with URL.
Improved experience when dragging a RemoteApp window with touch or pen.
Fixed an issue with localization.

Updates for version 1.2.1186

Published: July 28, 2020

In this release, we've made the following changes:

You can now be subscribed to Workspaces with multiple user accounts, using the
overflow menu (...) option on the command bar at the top of the client. To
differentiate Workspaces, the Workspace titles now include the username, as do all
app shortcuts titles.
Added additional information to subscription error messages to improve
troubleshooting.
The collapsed/expanded state of Workspaces is now preserved during a refresh.
Added a Send Diagnostics and Close button to the Connection information
dialog.
Fixed an issue with the CTRL + SHIFT keys in remote sessions.

Updates for version 1.2.1104

Published: June 23, 2020

In this release, we've made the following changes:

Updated the automatic discovery logic for the Subscribe option to support the
Azure Resource Manager-integrated version of Azure Virtual Desktop. Customers
with only Azure Virtual Desktop resources should no longer need to provide
consent for Azure Virtual Desktop (classic).
Improved support for high-DPI devices with scale factor up to 400%.
Fixed an issue where the disconnect dialog didn't appear.
Fixed an issue where command bar tooltips would remain visible longer than
expected.
 Fixed a crash when you tried to subscribe immediately after a refresh.
Fixed a crash from incorrect parsing of date and time in some languages.

Updates for version 1.2.1026

Published: May 27, 2020

In this release, we've made the following changes:

When subscribing, you can now choose your account instead of typing your email
address.
Added a new Subscribe with URL option that allows you to specify the URL of the
Workspace you are subscribing to or leverage email discovery when available in
cases where we can't automatically find your resources. This is similar to the
subscription process in the other Remote Desktop clients. This can be used to
subscribe directly to Azure Virtual Desktop workspaces.
Added support to subscribe to a Workspace using a new URI scheme that can be
sent in an email to users or added to a support website.
Added a new Connection information dialog that provides client, network, and
server details for desktop and app sessions. You can access the dialog from the
connection bar in full screen mode or from the System menu when windowed.
Desktop sessions launched in windowed mode now always maximize instead of
going full screen when maximizing the window. Use the Full screen option from
the system menu to enter full screen.
The Unsubscribe prompt now displays a warning icon and shows the workspace
names as a bulleted list.
Added the details section to additional error dialogs to help diagnose issues.
Added a timestamp to the details section of error dialogs.
Fixed an issue where the RDP file setting desktop size ID didn't work properly.
Fixed an issue where the Update the resolution on resize display setting didn't
apply after launching the session.
Fixed localization issues in the desktop settings panel.
Fixed the size of the focus box when tabbing through controls on the desktop
settings panel.
Fixed an issue causing the resource names to be difficult to read in high contrast
mode.
Fixed an issue causing the update notification in the action center to be shown
more than once a day.

Updates for version 1.2.945

Published: April 28, 2020

In this release, we've made the following changes:

Added new display settings options for desktop connections available when right-
clicking a desktop icon on the Connection Center.
There are now three display configuration options: All displays, Single display
and Select displays.
We now only show available settings when a display configuration is selected.
In Select display mode, a new Maximize to current displays option allows you
to dynamically change the displays used for the session without reconnecting.
When enabled, maximizing the session causes it to go full screen on all displays
touched by the session window.
We've added a new Single display when windowed option for all displays and
select displays modes. This option switches your session automatically to a
single display when you exit full screen mode, and automatically returns to
multiple displays when you maximize the window.
We've added a new Display settings group to the system menu that appears when
you right-click the title bar of a windowed desktop session. This will let you change
some settings dynamically during a session. For example, you can change the new
Single display mode when windowed and Maximize to current displays settings.
When you exit full screen, the session window will return to its original location
when you first entered full screen.
The background refresh for Workspaces has been changed to every four hours
instead of every hour. A refresh now happens automatically when launching the
client.
Resetting your user data from the About page now redirects to the Connection
Center when completed instead of closing the client.
The items in the system menu for desktop connections were reordered and the
Help topic now points to the client documentation.
Addressed some accessibility issues with tab navigation and screen readers.
Fixed an issue where the Azure Active Directory authentication dialog appeared
behind the session window.
Fixed a flickering and shrinking issue when dragging a desktop session window
between displays of different scale factors.
Fixed an error that occurred when redirecting cameras.
Fixed multiple crashes to improve reliability.

Updates for version 1.2.790

Published: March 24, 2020
In this release, we've made the following changes:

Renamed the Update action for Workspaces to Refresh for consistency with other
Remote Desktop clients.
You can now refresh a Workspace directly from its context menu.
Manually refreshing a Workspace now ensures all local content is updated.
You can now reset the client's user data from the About page without needing to
uninstall the app.
You can also reset the client's user data using msrdcw.exe /reset with an optional
/f parameter to skip the prompt.

We now automatically look for a client update when navigating to the About page.
Updated the color of the buttons for consistency.

Updates for version 1.2.675

Published: February 25, 2020

In this release, we've made the following changes:

Connections to Azure Virtual Desktop are now blocked if the RDP file is missing
the signature or one of the signscope properties has been modified.
When a Workspace is empty or has been removed, the Connection Center no
longer appears to be empty.
Added the activity ID and error code on disconnect messages to improve
troubleshooting. You can copy the dialog message with Ctrl+C.
Fixed an issue that caused the desktop connection settings to not detect displays.
Client updates no longer automatically restart the PC.
Windowless icons should no longer appear on the taskbar.

Updates for version 1.2.605

Published: January 29, 2020

In this release, we've made the following changes:

You can now select which displays to use for desktop connections. To change this
setting, right-click the icon of the desktop connection and select Settings.
Fixed an issue where the connection settings didn't display the correct available
scale factors.
Fixed an issue where Narrator couldn't read the dialogue shown while the
connection initiated.
 Fixed an issue where the wrong user name displayed when the Azure Active
Directory and Active Directory names didn't match.
Fixed an issue that made the client stop responding when initiating a connection
while not connected to a network.
Fixed an issue that caused the client to stop responding when attaching a headset.

Updates for version 1.2.535

Published: December 4, 2019

In this release, we've made the following changes:

You can now access information about updates directly from the more options
button on the command bar at the top of the client.
You can now report feedback from the command bar of the client.
The Feedback option is now only shown if the Feedback Hub is available.
Ensured the update notification is not shown when notifications are disabled
through policy.
Fixed an issue that prevented some RDP files from launching.
Fixed a crash on startup of the client caused by corruption of some persistent
settings.

Updates for version 1.2.431

Published: November 12, 2019

In this release, we've made the following changes:

The 32-bit and ARM64 versions of the client are now available!
The client now saves any changes you make to the connection bar (such as its
position, size, and pinned state) and applies those changes across sessions.
Updated gateway information and connection status dialogs.
Addressed an issue that caused two credentials to prompt at the same time while
trying to connect after the Azure Active Directory token expired.
On Windows 7, users are now properly prompted for credentials if they had saved
credentials when the server disallows it.
The Azure Active Directory prompt now appears in front of the connection window
when reconnecting.
Items pinned to the taskbar are now updated during a feed refresh.
Improved scrolling on the Connection Center when using touch.
Removed the empty line from the resolution drop-down menu.
 Removed unnecessary entries in Windows Credential Manager.
Desktop sessions are now properly sized when exiting full screen.
The RemoteApp disconnection dialog now appears in the foreground when you
resume your session after entering sleep mode.
Addressed accessibility issues like keyboard navigation.

Updates for version 1.2.247

Published: September 17, 2019

In this release, we've made the following changes:

Improved the fallback languages for localized version. (For example, FR-CA will
properly display in French instead of English.)
When removing a subscription, the client now properly removes the saved
credentials from Credential Manager.
The client update process is now unattended once started and the client will
relaunch once completed.
The client can now be used on Windows 10 in S mode.
Fixed an issue that caused the update process to fail for users with a space in their
username.
Fixed a crash that happened when authenticating during a connection.
Fixed a crash that happened when closing the client.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

What's new in the Remote Desktop
client for macOS
Article • 08/02/2024

In this article you'll learn about the latest updates for the Remote Desktop client for
macOS. To learn more about using the Remote Desktop client for macOS with Azure
Virtual Desktop, see Connect to Azure Virtual Desktop with the Remote Desktop client
for macOS and Use features of the Remote Desktop client for macOS when connecting
to Azure Virtual Desktop.

Latest client versions

The following table lists the current versions available for the public and beta releases:

ﾉ Expand table

Release Latest version Download

Public 10.9.9 Mac App Store

Beta 10.9.9 Microsoft AppCenter

Updates for version 10.9.9

Published: July 22, 2024

In this release, we made the following changes:

Applied a workaround to fix a screen sharing bug when using Teams optimizations.
Fixed a protocol sequencing issue that broke smart card redirection.

Updates for version 10.9.8

Published: June 18, 2024

In this release, we made the following changes:

Updated the client connection path to fall back to TLS when NTLM isn't available in
the context of Network Level Authentication (NLA).
 Applied a workaround to address a black screen when screen sharing via Microsoft
Teams redirection.

Updates for version 10.9.7

Published: May 21, 2024

In this release, we made the following changes:

Resolved issues with connections that were routed via a Remote Desktop Services
gateway behind an F5 web app filter.
Fixed bugs in the single sign-on protocol connection sequence that were breaking
connectivity.
Improved diagnostics sent during connections to Azure Virtual Desktop.

Updates for version 10.9.6

Published: February 26, 2024

In this release, we made the following changes:

Bug fixes for issues reported by users and internal telemetry.

） Important

Starting with version 10.9.6, the macOS client only supports macOS 12 and later.

Updates for version 10.9.5

Published: December 12, 2023

In this release, we made the following changes:

Resolved some of the top crashes reported by customers from our telemetry.
Fixed microphone redirection on macOS 14.
Sorted out daylight savings time issues for time zone redirection scenarios.
Added watermarking support for Azure Virtual Desktop scenarios.
Resolved an issue that caused workspace resource icons to be partially obscured
by a white or black rectangle. If you encounter this issue, you can force a
workspace refresh by selecting Help > Troubleshooting > Force Refresh All
Workspaces.
Updates for version 10.9.4
Published: October 20, 2023

In this release, we made the following changes:

Fixed an issue that caused printer redirection to not work for connections between
macOS Sonoma and Windows 10 or later.

Updates for version 10.9.3

Published: October 2, 2023

In this release, we made the following changes:

Fixed an issue where using workspace refresh deleted the workspace.

Resolved a RemoteApp issue where drag operations sometimes didn't work on
certain apps.
Fixed an incorrect error message displayed for expired passwords.
Addressed a number of accessibility bugs.

Updates for version 10.9.2

Published: September 11, 2023

In this release, we made the following changes:

Addressed Proof Key for Code Exchange is required message users receive when
refreshing Azure Virtual Desktop workspaces after upgrading from versions 10.9.0
and 10.9.1.

Updates for version 10.9.1

Published: September 5, 2023

In this release, we made the following changes:

Addressed clipboard redirection issue for macOS 11.

Updates for version 10.9.0

Published: August 16, 2023
In this release, we added two new features for Azure Virtual Desktop and addressed a
number of reported bugs and incidents.

Added support for RDP Shortpath for public networks for Azure Virtual Desktop
connections.
Integrated an Azure Virtual Desktop account profile switcher into the Connection
Center.
Improved diagnostics sent during Azure Virtual Desktop connections.
Added support for video mirroring in Teams redirection.

７ Note

This release isn't compatible with macOS 10.14 and macOS 10.15.

Updates for Version 10.8.4

Published: June 16, 2023

In this release, we made the following changes:

Updated time zone redirection to accommodate certain daylight savings scenarios.

Resolved an issue that incorrectly toggled Caps Lock in RemoteApp connections.
Changed gesture recognition to make small mouse-scrolling movements
smoother.
Fixed an issue that caused the client to stop responding when resuming a
connection after entering sleep mode.
Updated Azure Virtual Desktop diagnostics to align with service expectations.
Created a workaround for a service-side simulcast regression that affected Teams
redirection.

Updates for Version 10.8.3

Published: May 20, 2023

In this release, we made the following changes:

Fixed connectivity issue that affected connections with Windows XP and Windows
Vista.
Addressed an issue that caused diagnostics reporting for Azure Virtual Desktop
connections to be inaccurate.
Updates for Version 10.8.2
Published: April 25, 2023

In this release, we made the following changes:

Integrated support for the new Remote Desktop Services (RDS) Azure Active
Directory (Azure AD) Auth Protocol for authentication and session security.
Added deterministic progress UI for Azure Virtual Desktop workspace refresh.
Resolved some of the most common crashes reported by debug telemetry.
Fixed a bug that caused vertical lines to appear in the remote session rendering.
Addressed a scenario where the app would stop responding when running Slack.
Addressed issue with full-screen scenarios that happened when users disabled the
Displays have separate Spaces setting.
Fixed an issue that resulted in the caps lock state syncing incorrectly between
client and server.
Performance and reliability updates to Teams redirection
Updates to improve Azure Virtual Desktop connectivity and diagnostics.

Updates for Version 10.8.1

Published: January 25, 2023

In this release, we made the following changes:

Bug fixes and feature updates.

Teams redirection for Azure Virtual Desktop now supports Noise Cancellation and
Give/Take Control.
Fixed connection blocking issues that affected a small number of users.
Updated Azure Virtual Desktop diagnostics to address a reporting error.
New clipboard redirection options including bidirectional clipboard syncing, local
to remote, or remote to local.

Updates for Version 10.8.0

Published: December 14, 2022

In this release, we made the following changes:

Fixed a few bugs, cleaned up some underlying code, and made changes to prepare
for future updates.
 Added a button to the General Preferences dialog that allows you to clear stored
PC thumbnails.

Updates for Version 10.7.10

Published: October 24, 2022

In this release, we've added some new features to Teams redirection for Azure Virtual
Desktop and Windows 365 scenarios:

Give/Take Control support.

Background blur support.
Background replacement support.

We've also made some additional fixes and performance improvements, including the
following:

We resolved some customer-reported time zone redirection mismatches.

We've improved smart card redirection performance.
We addressed overactive Azure Virtual Desktop diagnostics reporting.
We fixed a crash that happened when users moved hidden windows in RemoteApp
scenarios.

Updates for version 10.7.9

Date Published: August 11, 2022

In this release, we fixed some customer-reported bugs and issues reported by telemetry.
Two of the impacted feature areas include Teams redirection and multi-monitor support.

Updates for version 10.7.8

Date Published: July 25, 2022

In this release, we made the following changes:

Added thumbnail snapshots for published PC resources to the Workspaces tab of

the Connection Center.
Integrated logging support that you could previously only access with user
defaults to the UI. To access the logs, go to Help > Troubleshooting > Logging.
You can now reset all subscribed Azure Virtual Desktop workspaces.
Fixed a deadlock in the client logging infrastructure.
 Improved diagnostic error reporting for Azure Active Directory authentication
failures in Azure Virtual Desktop scenarios.

Updates for version 10.7.7

Date Published: June 23, 2022

In this release we added the following new features:

A custom app switcher which spans multiple sessions for RemoteApp scenarios
(triggered by the Option+Tab keyboard combination).
Support for the in-session redirection of PIV smart cards (such as Yubikey).

We've also:

Added support for audio and video stream optimizations when connecting to
Azure Virtual Desktop session hosts that support Teams redirection. Learn more at
Use Microsoft Teams on Azure Virtual Desktop.
Made updates to improve connectivity, performance and diagnostic metrics when
connecting to Azure Virtual Desktop deployments.

With respect to bugs and smaller features, the following list summarizes some
highlights:

Added support for eTags in Azure Virtual Desktop workspace refresh scenarios to
improve sync times.
The read-only column in the folder redirection selection UI has been resized to
show the full column header.
Fixed an issue that resulted in the Outlook client showing the incorrect time or
time zone for certain calendar entries.
Resolved discrepancies with the reporting of device physical width and height
across Retina and non-Retina scenarios.
Updated the client to trigger an auto-reconnect in Azure Virtual Desktop scenarios
when a 0x3 error is generated by the Gateway.
Resolved an issue where the mouse cursor on a high DPI monitor is larger than a
regular monitor.
Updated the client to terminate auto-reconnect if the session window is closed
after waking from sleep.
Addressed an issue where the mapped hotkeys CMD+C , CMD+V , and CMD+F didn't
work in nested sessions.
Hid the Import from Remote Desktop 8 option if there is no data to import.
Updates for version 10.7.6
Date Published: February 3, 2022

In this release, we made some changes to improve connection reliability for Azure
Virtual Desktop scenarios.

Updates for version 10.7.5

Published: January 25, 2022

In this release, we made the following changes:

Fixed an issue that caused display configuration to not work properly when using
the client on 2021 MacBook Pro 14" and 16" devices with multiple monitors. This
issue mainly affected devices with external monitors positioned above the
MacBook display.
Fixed an issue that caused the client to crash when used on earlier versions of
macOS 12
Fixed customer-reported smart card and folder redirection issues.

Updates for version 10.7.4

Published: January 13, 2022

In this release, we made the following changes:

Addressed full screen display issues with 2021 MacBook Pro 14" and 16" models.
Better handle load-balanced Remote Desktop Gateway configurations.

Updates for version 10.7.3

Published: December 17, 2021

Unfortunately, the 10.7.2 update disabled smart card redirection for some users when
they'd try to reconnect to their sessions. As a result, we've released this update to
address the issue.

Updates for version 10.7.2

Published: December 13, 2021
In this release, we made the following changes:

Added support for the Touch Bar on MacBook Pro devices.

Refreshed the look and feel of the PCs and Apps tabs in the Connection Center.
Added a new SHIFT+COMMAND+K hotkey that opens the Connection Center.
Improved compatibility with third-party network devices and load balancers for
workspace download and Remote Desktop Gateway-based connections.
Support for the ms-rd URI scheme.
Improved support for invertible mouse cursors that straddle the image boundary.
Support for .RDPW files produced by the Azure Virtual Desktop web client.
Fixed an issue that caused the workspace subfolder to remain expanded even if
you've collapsed the root folder.
Updates and enhancements to Teams redirection (only available in Azure Virtual
Desktop scenarios).
Addressed reliability issues identified through crash reporting and feedback.

Updates for version 10.7.1

Published: November 4, 2021

In this release, we made the following changes:

Addressed issues that caused the app to crash.

Updates for version 10.7.0

Published: October 21, 2021

In this release, we made the following changes:

Addressed issues brought up by users in crash reports and general feedback.

Invertible cursors, such as the text cursor, are now outlined to make them visible
on dark backgrounds.
Made improvements to the code for the Connection Center for both PCs and
workspaces.
Added support for moving the local window while using a RemoteApp.
By default, local window movement in RemoteApp scenarios is disabled. To
enable local window movement, set the EnableRemoteAppLocalMove policy to
True.
Updated the Connection Information prompt that appears when you go to
Connections > Show Connection Information.
Added screen capture protection for Azure Virtual Desktop scenarios.
 Addressed an issue that allowed folders to be redirected multiple times.
Added a link to the new support forum at Help > Submit feedback.
Updates improving security, connectivity and performance while connecting to
Azure Virtual Desktop.

Updates for version 10.6.8

Published: August 16, 2021

In this release, we made the following changes:

Added background refresh for subscribed workspaces.

Addressed issues where the session window may switch to another monitor when
auto-reconnecting.
Addressed issues where the session window would intermittently enlarge after
connecting.
Addressed issues where the name of a redirected folder would be incorrect in the
remote session.
Addressed issues when resizing remote app windows.
Improved error messages that are displayed when user accounts fail to update.
Addressed issues where window titles in the list of connected remote apps were
blank.
Addressed multi-monitor issue where the mouse cursor shape would not update
correctly when dragging between monitors.
Added a checkbox to General Preferences to enable/disable Microsoft Teams
optimizations.
Added a UI to report if a remote app could not be launched on the server due to
not being on the system allowlist.
Addressed issues where the session window could not expand when placed at the
top or bottom of the screen.
Addressed scenarios where the mouse cursor would disappear while connected to
a remote PC.
Deletion of an Azure Virtual Desktop workspace now correctly removes all
associated workspaces.
Addressed issues where adding a folder to redirect to a bookmark would enable
the Add button with an empty PC name.
Addressed issues where double-clicking the title bar incorrectly stretches the
session window.
Updated the mouse to change to a hand glyph when hovering over a red input
error indicator.
 Addressed issues where the session window would flash rapidly in the Mission
Control or Application windows view.
Improved connectivity and performance metrics when connecting to Azure Virtual
Desktop.
Subscribed workspaces are refreshed every six hours, by default, and can be
changed using ClientSettings.WorkspaceAutoRefreshInterval (minimum interval is
30 minutes and 24 hours is the maximum).

Updates for version 10.6.7

Published: June 21, 2021

In this release, we made the following changes:

Addressed three connectivity errors that users reported to us:

Worked around a 0x907 (mismatched certificate) error code that was caused by
third-party infrastructure returning an incorrect certificate in redirection
scenarios.

Fixed the root cause of a 0x207 (handshake failure) error code that appeared
when users accidentally tried to connect with an incorrect password to a pre-
Windows 8 server with Network Level Authentication (NLA) enabled.

Resolved a 0x1107 (invalid workstation) error code that appeared when Active
Directory workstation logon restrictions were set.

Updated the default icon for published desktops and worked around an issue that
caused smart card redirection to stop working with recently patched versions of
Windows.

Made some updates to improve compatibility and performance metrics when

connecting to Azure Virtual Desktop.

Updates for version 10.6.6

Published: May 4, 2021

In this release, we made the following changes:

Enabled connections to Windows Server 2003 servers that have Transport Layer
Security (TLS) enabled for Remote Desktop connections.
 Addressed a 0x3000066 error message that appeared in Remote Desktop Gateway
scenarios, and aligned TLS version usage with the Windows Remote Desktop client.

Updates for version 10.6.5

Published: April 29, 2021

In this release, we made the following changes:

Fixed an issue that made the client return a 0x907 error code when connecting to a
server endpoint with a certificate that had a Remote Desktop Authentication EKU
property of 1.3.6.1.4.1.311.54.1.2 .
Updated the client to address a 0x2407 error code that prevented the client from
authorizing users for remote access.

Updates for version 10.6.4

Published: April 22, 2021

In this release, we made the following changes:

Fixed an issue that caused the client to return a 0x907 error code when processing
a server authentication certificate with a validity lifetime of over 825 days.

Updates for version 10.6.3

Published: April 20, 2021

In this release, we made the following changes:

Fixed an issue that caused the client to return a 0x507 error code.
Enabled support for the AVC420 codec on Apple Silicon.
Enabled Smart card redirection (requires macOS 11.2 or later) on Apple Silicon.

Updates for version 10.6.2

Published: April 20, 2021

In this release, we made the following changes:

Removed a double prompt for credentials that occurred in some scenarios when
users tried to connect with a Remote Desktop Gateway.
Updates for version 10.6.1
Published: April 20, 2021

In this update, we fixed an issue that caused the client to stop responding when
connecting to a Remote Desktop Gateway.

Updates for version 10.6.0

Published: April 19, 2021

In this release we made some significant updates to the shared underlying code that
powers the Remote Desktop experience across all our clients. We've also added some
new features and addressed bugs and crashes that were showing up in error reports.

Added native support for Apple Silicon.

Added client-side IME support when using Unicode keyboard mode.
Integrated Kerberos support in the CredSSP security protocol sequence.
Addressed macOS 11 compatibility issues.
Made updates to improve interoperability with current and upcoming features in
the Azure Virtual Desktop service.
Fixed issues that caused mis-paints when decoding AVC data generated by a
server-side hardware encoder.
Addressed an issue that made remote Office app windows invisible even though
they appeared in the app switcher.

） Important

As of this update, the macOS client requires macOS version 10.14 or later to run.

Updates for version 10.5.2

Published: February 15, 2021

In this release, we made the following changes:

Added HTTP proxy support for Remote Desktop Gateway connections.

Fixed an issue where a Remote Desktop Gateway connection would disconnect and
a message with error code 0x3000064 would appear.
Addressed a bug where workspace discovery and download wouldn't work if you
included the port number in HTTP GET requests.
 Refreshed the application icon

７ Note

This release is the last release that will be compatible with macOS version 10.13.

Updates for version 10.5.1

Published: January 29, 2021

In this release, we made the following changes:

Addressed an issue where the UI would stop resolving a workspace name during
subscription.
Fixed an in-session bug where graphics updates would stall while the client
continued to send input.
Resolved reliability issues identified through crash reporting.

Updates for version 10.5.0

Published: December 2, 2020

In this release, we made the following changes:

You can now edit the display, device, and folder redirection settings of published
PC connections.
RemoteApp windows now shrink to the dock when minimized.
Added a Connection Information dialog that displays the current bandwidth and
round-trip time.
Added support for Remote Desktop Gateway consent and admin messages.
Fixed an issue where an RDP file specifying a gatewayusagemethod value of 0 or 4
was incorrectly imported.
The Edit Workspace sheet now shows the exact time at which the workspace was
last updated.
Removed trace spew that was output when using the --script parameter.
Addressed an issue where the client would return a 0x30000066 error when
connecting using a Remote Desktop Gateway server.
Fixed an issue that caused the client to repeatedly prompt users for credentials if
Extended Protection for Authentication was set on the server.
Addressed reliability issues that users identified through crash reporting.
Addressed keyboard and VoiceOver-related accessibility bugs.
Updates for version 10.4.1
Published: November 6, 2020

In this release, we made the following changes:

Addressed several reliability issues identified through crash reporting.

Addressed keyboard and VoiceOver-related accessibility bugs.
Fixed an issue where the client would hang on reconnect when resuming from
sleep.
Fixed an audio artifact heard when playing back the first chunk of a redirected
audio stream.
Addressed an issue where the client would report a 0x5000007 error message
when connecting using a Remote Desktop Gateway server.
Corrected the aspect ratio of PC thumbnails displayed in the Connection Center.
Improved smart card redirection heuristics to better handle nested transactions.
Fixed a bug that prevented bookmark export if the bookmark's display name
contained the / character.
Resolved a bug that caused a 0xD06 protocol error when running Outlook as a
RemoteApp.
Added support for a new integer RDP file property (ForceHiDpiOptimizations) to
enable Retina display optimization.

Updates for version 10.4.0

Published: August 20, 2020

In this release, we made substantial updates to the underlying code for the Remote
Desktop experience across all our clients. We've also added some new features and
addressed bugs and crashes that were showing up in error reporting. Here are some
changes you may notice:

PC Quick Connect (Cmd+K) allows you to connect to a PC without creating a

bookmark.
Auto-reconnect now recovers from transient network glitches for PC connections.
When resuming a suspended MacBook, you can use auto-reconnect to reconnect
to any disconnected PC connections.
Added support for HTTP proxies when subscribing and connecting to Azure Virtual
Desktop resources.
Implemented support for HTTP proxy automatic configuration with PAC files.
Integrated support for NETBIOS name resolution so you can connect to PCs on
your local network more easily.
Fixed an issue where the system menu bar wouldn't respond while the app was in
focus.
Fixed a client-side race condition that could cause decryption errors on the server.
Made improvements to monitor layout and geometry heuristics for multimon
scenarios involving Retina-class monitors.
Multimon layout configurations are now maintained across session redirection
scenarios.
Addressed an issue that prevented the menu bar from dropping in multimon
scenarios.
User account UI that interacts with the macOS keychain will now surface keychain
access errors.
Hitting cancel during workspace subscription will now result in nothing being
added to the Connection Center.
Added key mappings for Cmd+Z and Cmd+F to map to Ctrl+Z and Ctrl+F
respectively.
Fixed a bug that caused a RemoteApp to open behind the Connection Center
when launched.
Worked around an issue in macOS 10.15 where AAC audio playback caused the
client to stall.
Shift+left-click now works in Unicode mode.
Fixed a bug where using the Shift key triggered the Sticky Keys alert in Unicode
mode.
Added a check for network availability before connection initiation.
Addressed pulsing of PC thumbnails that sometimes happened during the
connection sequence.
Fixed a bug where the password field in the Add/Edit User Account sheet become
multiline.
The Collapse All option is now greyed out if all workspaces are collapsed.
The Expand All option is now greyed out if all workspaces are expanded.
The first-run permissions UI is no longer shown on High Sierra.
Fixed an issue where users were unable to connect to Azure Virtual Desktop
endpoints using saved credentials in the DOMAIN\USERNAME format.
The username field in the credential prompt is now always prepopulated for Azure
Virtual Desktop connections.
Fixed a bug that clipped the Edit, Delete, and Refresh buttons for workspaces if the
Connection Center wasn't wide enough.
The email or workspace URL field in the Add Workspace sheet is no longer case-
sensitive.
Fixed accessibility issues that impacted VoiceOver and keyboard navigation
scenarios.
 Lots of updates to improve interoperability with current and upcoming features in
the Azure Virtual Desktop service.
You can now configure the AVC support level advertised by the client from a
terminal prompt. Here are the support levels you can configure:
Don't advertise AVC support to the server: defaults write
com.microsoft.rdc.macos AvcSupportLevel disabled

Advertise AVC420 support to the server: defaults write

com.microsoft.rdc.macos AvcSupportLevel avc420

Advertise support for AVC444 support to the server: defaults write

com.microsoft.rdc.macos AvcSupportLevel avc444

Updates for version 10.3.9

Published: April 6, 2020

In this release, we made some changes to improve interoperability with the Azure Virtual
Desktop service . In addition, we've included the following updates:

Control+Option+Delete now triggers the Ctrl+Alt+Del sequence (previously

required pressing the Fn key).
Fixed the keyboard mode notification color scheme for Light mode.
Addressed scenarios where connections initiated using the GatewayAccessToken
RDP file property didn't work.

７ Note

This is the last release that will be compatible with macOS 10.12.

Updates for version 10.3.8

Published: February 12, 2020

With this update, you can switch between Scancode (Ctrl+Command+K) and Unicode
(Ctrl+Command+U) modes when entering keyboard input. Unicode mode allows
extended characters to be typed using the Option key on a Mac keyboard. For example,
on a US Mac keyboard, Option+2 will enter the trademark (™) symbol. You can also
enter accented characters in Unicode mode. For example, on a US Mac keyboard,
entering Option+E and the A key at the same time will enter the character á on your
remote session.
Other updates in this release include:

Cleaned up the workspace refresh experience and UI.

Addressed a smart card redirection issue that caused the remote session to stop
responding at the sign-in screen when the Checking Status message appeared.
Reduced time to create temporary files used for clipboard-based file copy and
paste.
Temporary files used for clipboard file copy and paste are now deleted
automatically when you exit the app, instead of relying on macOS to delete them.
PC bookmark actions are now rendered at the top-right corner of thumbnails.
Made fixes to address issues reported through crash telemetry.

Updates for version 10.3.7

Published: January 6, 2020

In this release, we made the following changes:

Copying things from the remote session to a network share or USB drive no longer
creates empty files.
Specifying an empty password in a user account no longer causes a double
certificate prompt.

Updates for version 10.3.6

Published: January 6, 2020

In this release, we made the following changes:

Addressed an issue that created zero-length files whenever you copied a folder
from the remote session to the local machine using file copy and paste.

Updates for version 10.3.5

Published: January 6, 2020

In this release, we made the following changes:

Redirected folders can now be marked as read-only to prevent their contents from
being changed in the remote session.
We addressed a 0x607 error that appeared when connecting using RPC over
HTTPS Remote Desktop Gateway scenarios.
 Fixed cases where users were double-prompted for credentials.
Fixed cases where users received the certificate warning prompt twice.
Added heuristics to improve trackpad-based scrolling.
The client no longer shows the Saved Desktops group if there are no user-created
groups.
Updated UI for the tiles in PC view.
Fixes to address crashes sent to us via application telemetry.

Updates for version 10.3.4

Published: November 18, 2019

In this release, we made the following changes:

When connecting via a Remote Desktop Gateway with multifactor authentication,

the gateway connection will be held open to avoid multiple MFA prompts.
All the client UI is now fully keyboard-accessible with Voiceover support.
Files copied to the clipboard in the remote session are now only transferred when
pasting to the local computer.
URLs copied to the clipboard in the remote session now paste correctly to the local
computer.
Scale factor remoting to support Retina displays is now available for multimonitor
scenarios.
Addressed a compatibility issue with FreeRDP-based RD servers that was causing
connectivity issues in redirection scenarios.
Addressed smart card redirection compatibility with future releases of Windows 10.
Addressed an issue specific to macOS 10.15 where the incorrect available space
was reported for redirected folders.
Published PC connections are represented with a new icon in the Workspaces tab.
Feeds are now called Workspaces, and Desktops are now called PCs.
Fixed inconsistencies and bugs in user account handling in the preferences UI.
Lots of bug fixes to make things run smoother and more reliably.

Updates for version 10.3.3

Published: November 18, 2019

In this release, we made the following changes:

Added user defaults to disable smart card, clipboard, microphone, camera, and
folder redirection:
 ClientSettings.DisableSmartcardRedirection
ClientSettings.DisableClipboardRedirection

ClientSettings.DisableMicrophoneRedirection
ClientSettings.DisableCameraRedirection

ClientSettings.DisableFolderRedirection

Resolved an issue that was causing programmatic session window resizes to not be
detected.

Fixed an issue where the session window contents appeared small when
connecting in windowed mode (with dynamic display enabled).

Addressed initial flicker that occurred when connecting to a session in windowed

mode with dynamic display enabled.

Fixed graphics mis-paints that occurred when connected to Windows 7 after

toggling fit-to-window with dynamic display enabled.

Fixed a bug that caused an incorrect device name to be sent to the remote session
(breaking licensing in some third-party apps).

Resolved an issue where RemoteApp windows would occupy an entire monitor

when maximized.

Addressed an issue where the access permissions UI appeared underneath local

windows.

Cleaned up some shutdown code to ensure the client closes more reliably.

Updates for version 10.3.2

Published: November 18, 2019

In this release, we fixed a bug that made the display low resolution while connecting to
a session

Updates for version 10.3.1

Published: November 18, 2019

In this release, we made the following changes:

Addressed connectivity issues with Remote Desktop Gateway servers that were
using 4096-bit asymmetric keys.
 Fixed a bug that caused the client to randomly stop responding when
downloading feed resources.
Fixed a bug that caused the client to crash while opening.
Fixed a bug that caused the client to crash while importing connections from
Remote Desktop, version 8.

Updates for version 10.3.0

Published: August 27, 2019

In this release, we made the following changes:

Camera redirection is now possible when connecting to Windows 10 1809,

Windows Server 2019 and later.
On Mojave and Catalina we've added a new dialog that requests your permission
to use the microphone and camera for device redirection.
The feed subscription flow has been rewritten to be simpler and faster.
Clipboard redirection now includes the Rich Text Format (RTF).
When entering your password, you can now choose to reveal it by selecting the
Show password checkbox.
Addressed scenarios where the session window was jumping between monitors.
The Connection Center displays high-resolution RemoteApp icons when available.
Cmd+A maps to Ctrl+A when Mac clipboard shortcuts are being used.
Cmd+R now refreshes all of your subscribed feeds.
Added new secondary click options to expand or collapse all groups or feeds in the
Connection Center.
Added a new secondary click option to change the icon size in the Feeds tab of the
Connection Center.
A new, simplified, and clean app icon.

Updates for version 10.2.13

Published: May 8, 2019

In this release, we made the following changes:

Fixed a hang that occurred when connecting via a Remote Desktop Gateway.
Added a privacy notice to the Add Feed dialog.

Updates for version 10.2.12

Published: April 16, 2019

In this release, we made the following changes:

Resolved random disconnects (with error code 0x904) that took place when
connecting via a Remote Desktop Gateway.
Fixed a bug that caused the resolutions list in application preferences to be empty
after installation.
Fixed a bug that caused the client to crash if certain resolutions were added to the
resolutions list.
Addressed an ADAL authentication prompt loop when connecting to Azure Virtual
Desktop deployments.

Updates for version 10.2.10

Published: March 30, 2019

In this release, we made the following changes:

Addressed instability caused by the recent macOS 10.14.4 update.

Fixed mis-paints that appeared when decoding AVC codec data encoded by a
server using NVIDIA hardware.

Updates for version 10.2.9

Published: March 6, 2019

In this release, we made the following changes:

Fixed a Remote Desktop Gateway connectivity issue that can occur when server
redirection takes place.
We also addressed a Remote Desktop Gateway regression caused by the 10.2.8
update.

Updates for version 10.2.8

Published: March 1, 2019

In this release, we made the following changes:

Resolved connectivity issues that surfaced when using a Remote Desktop Gateway.
Fixed incorrect certificate warnings that were displayed when connecting.
 Addressed some cases where the menu bar and dock would needlessly hide when
launching a RemoteApp.
Reworked the clipboard redirection code to address crashes and hangs that have
been plaguing some users.
Fixed a bug that caused the Connection Center to needlessly scroll when launching
a connection.

Updates for version 10.2.7

Published: February 6, 2019

In this release, we addressed graphics mis-paints (caused by a server encoding bug) that
appeared when using AVC444 mode.

Updates for version 10.2.6

Published: January 28, 2019

In this release, we made the following changes:

Added support for the AVC (420 and 444) codec, available when connecting to
current versions of Windows 10.
In Fit to Window mode, a window refresh now occurs immediately after a resize to
ensure that content is rendered at the correct interpolation level.
Fixed a layout bug that caused feed headers to overlap for some users.
Cleaned up the Application Preferences UI.
Polished the Add/Edit Desktop UI.
Made lots of fit and finish adjustments to the Connection Center tile and list views
for desktops and feeds.

７ Note

There is a bug in macOS 10.14.0 and 10.14.1 that can cause the
.com.microsoft.rdc.application-data_SUPPORT/_EXTERNAL_DATA folder (nested deep

inside the ~/Library folder) to consume a large amount of disk space. To resolve
this issue, delete the folder content and upgrade to macOS 10.14.2. Note that a
side-effect of deleting the folder contents is that snapshot images assigned to
bookmarks will be deleted. These images will be regenerated when reconnecting to
the remote PC.
Updates for version 10.2.4
Published: December 18, 2018

In this release, we made the following changes:

Added dark mode support for macOS Mojave 10.14.

An option to import from Microsoft Remote Desktop 8 now appears in the
Connection Center if it is empty.
Addressed folder redirection compatibility with some third-party enterprise
applications.
Resolved issues where users were getting a 0x30000069 Remote Desktop Gateway
error due to security protocol fallback issues.
Fixed progressive rendering issues some users were experiencing with fit to
window mode.
Fixed a bug that prevented file copy and paste from copying the latest version of a
file.
Improved mouse-based scrolling for small scroll deltas.

Updates for version 10.2.3

Published: November 6, 2018

In this release, we made the following changes:

Added support for the remoteapplicationcmdline RDP file setting for RemoteApp
scenarios.
The title of the session window now includes the name of the RDP file (and server
name) when launched from an RDP file.
Fixed reported Remote Desktop Gateway performance issues.
Fixed reported Remote Desktop Gateway crashes.
Fixed issues where the connection would hang when connecting through a Remote
Desktop Gateway.
Better handling of a RemoteApp in full-screen by intelligently hiding the menu bar
and dock.
Fixed scenarios where a RemoteApp remained hidden after being launched.
Addressed slow rendering updates when using Fit to Window with hardware
acceleration disabled.
Handled database creation errors caused by incorrect permissions when the client
starts up.
Fixed an issue where the client was consistently crashing at launch and not starting
for some users.
 Fixed a scenario where connections were incorrectly imported as full-screen from
Remote Desktop 8.

Updates for version 10.2.2

Published: October 9, 2018

In this release, we made the following changes:

A brand new Connection Center that supports drag and drop, manual arrangement
of desktops, resizable columns in list view mode, column-based sorting, and
simpler group management.
The Connection Center now remembers the last active pivot (Desktops or Feeds)
when closing the app.
The credential prompting UI and flows have been overhauled.
Remote Desktop Gateway feedback is now part of the connecting status UI.
Settings import from the version 8 client has been improved.
RDP files pointing to RemoteApp endpoints can now be imported into the
Connection Center.
Retina display optimizations for single monitor Remote Desktop scenarios.
Support for specifying the graphics interpolation level (which affects blurriness)
when not using Retina optimizations.
256-color support to enable connectivity to Windows 2000.
Fixed clipping of the right and bottom edges of the screen when connecting to
Windows 7, Windows Server 2008 R2 and earlier.
Copying a local file into Outlook (running in a remote session) now adds the file as
an attachment.
Fixed an issue that was slowing down pasteboard-based file transfers if the files
originated from a network share.
Addressed a bug that was causing to Excel (running in a remote session) to hang
when saving to a file on a redirected folder.
Fixed an issue that was causing no free space to be reported for redirected folders.
Fixed a bug that caused thumbnails to consume too much disk storage on macOS
10.14.
Added support for enforcing Remote Desktop Gateway device redirection policies.
Fixed an issue that prevented session windows from closing when disconnecting
from a connection using Remote Desktop Gateway.
If Network Level Authentication (NLA) is not enforced by the server, you will now
be routed to the sign-in screen if your password has expired.
Fixed performance issues that surfaced when lots of data was being transferred
over the network.
 Smart card redirection fixes.
Support for all possible values of the EnableCredSspSupport and Authentication
Level RDP file settings if the ClientSettings.EnforceCredSSPSupport user default
key (in the com.microsoft.rdc.macos domain) is set to 0.
Support for the Prompt for Credentials on Client RDP file setting when NLA is not
negotiated.
Support for smart card-based sign-in using smart card redirection at the Winlogon
prompt when NLA is not negotiated.
Fixed an issue that prevented downloading feed resources that have spaces in the
URL.

Updates for version 10.2.1

Published: August 6, 2018

In this release, we made the following changes:

Enabled connectivity to Azure Active Directory (Azure AD) joined PCs. To connect
to an Azure AD joined PC, your username must be in one of the following formats:
AzureAD\user or AzureAD\user@domain .

Addressed some bugs affecting the usage of smart cards in a remote session.

Updates for version 10.2.0

Published: July 24, 2018

In this release, we made the following changes:

Incorporated updates for GDPR compliance.

MicrosoftAccount\username@domain is now accepted as a valid username.
Clipboard sharing has been rewritten to be faster and support more formats.
Copy and pasting text, images, or files between sessions now bypasses the local
machine's clipboard.
You can now connect via a Remote Desktop Gateway server with an untrusted
certificate (if you accept the warning prompts).
Metal hardware acceleration is now used (where supported) to speed up rendering
and optimize battery usage.
When using Metal hardware acceleration, we try to work some magic to make the
session graphics appear sharper.
Got rid of some instances where windows would hang around after being closed.
 Fixed bugs that were preventing the launch of RemoteApp programs in some
scenarios.
Fixed a Remote Desktop Gateway channel synchronization error that was resulting
in 0x204 errors.
The mouse cursor shape now updates correctly when moving out of a session or
RemoteApp window.
Fixed a folder redirection bug that was causing data loss when copy and pasting
folders.
Fixed a folder redirection issue that caused incorrect reporting of folder sizes.
Fixed a regression that was preventing logging into an Azure AD-joined machine
using a local account.
Fixed bugs that were causing the session window contents to be clipped.
Added support for RD endpoint certificates that contain elliptic-curve asymmetric
keys.
Fixed a bug that was preventing the download of managed resources in some
scenarios.
Addressed a clipping issue with the pinned connection center.
Fixed the checkboxes in the Display tab of the Add a Desktop window to work
better together.
Aspect ratio locking is now disabled when dynamic display change is in effect.
Addressed compatibility issues with F5 infrastructure.
Updated handling of blank passwords to ensure the correct messages are shown
at connect-time.
Fixed mouse scrolling compatibility issues with MapInfra Pro.
Fixed some alignment issues in the Connection Center when running on Mojave.

Updates for version 10.1.8

Published: May 4, 2018

In this release, we made the following changes:

Added support for changing the remote resolution by resizing the session window!
Fixed scenarios where remote resource feed download would take an excessively
long time.
Resolved the 0x207 error that could occur when connecting to servers not patched
with the CredSSP encryption oracle remediation update (CVE-2018-0886).

Updates for version 10.1.7

Published: April 5, 2018
In this release, we made the following changes:

Made security fixes to incorporate CredSSP encryption oracle remediation updates

as described in CVE-2018-0886.
Improved RemoteApp icon and mouse cursor rendering to address reported
mispaints.
Addressed issues where RemoteApp windows appeared behind the Connection
Center.
Fixed a problem that occurred when you edit local resources after importing from
Remote Desktop 8.
You can now start a connection by pressing ENTER on a desktop tile.
When you're in full screen view, Cmd+M now correctly maps to WIN+M.
The Connection Center, Preferences, and About windows now respond to Cmd+M.
You can now start discovering feeds by pressing ENTER on the **Adding Remote
Resources*- page.
Fixed an issue where a new remote resources feed showed up empty in the
Connection Center until after you refreshed.

Updates for version 10.1.6

Published: March 26, 2018

In this release, we made the following changes:

Fixed an issue where RemoteApp windows would reorder themselves.

Resolved a bug that caused some RemoteApp windows to get stuck behind their
parent window.
Addressed a mouse pointer offset issue that affected some RemoteApp programs.
Fixed an issue where starting a new connection gave focus to an existing session,
instead of opening a new session window.
We fixed an error with an error message - you'll see the correct message now if we
can't find your gateway.
The Quit shortcut (⌘ + Q) is now consistently shown in the UI.
Improved the image quality when stretching in fit to window mode.
Fixed a regression that caused multiple instances of the home folder to show up in
the remote session.
Updated the default icon for desktop tiles.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

What's new in the Remote Desktop
client for iOS and iPadOS
Article • 07/08/2024

This article describes the latest updates for the Remote Desktop client for iOS and
iPadOS. To learn more about using the Remote Desktop client for iOS and iPadOS with
Azure Virtual Desktop, see Connect to Azure Virtual Desktop with the Remote Desktop
client for iOS and iPadOS and Use features of the Remote Desktop client for iOS and
iPadOS when connecting to Azure Virtual Desktop.

Latest client versions

The following table lists the current versions available for the public and beta releases:

ﾉ Expand table

Release Latest version Download

Public 10.5.9 App Store

Beta 10.5.9 TestFlight

Updates for version 10.5.9

Published: June 27, 2024

In this release, we made the following changes:

Updated the client connection path to fall back to TLS when NTLM isn't available in
the context of NLA.
Addressed an issue that prevented the hardware keyboard from working when
connected.

Updates for version 10.5.8

Published: May 29, 2024

In this release, we made the following changes:

 Added Microsoft Intune MAM support for configuring redirection settings. It
includes MAM SDK version 19.3.1.
Added watermarking support for Windows 365.
Bug fixes.

Updates for version 10.5.7

Published: May 22, 2024

In this release, we made the following changes:

Added support for the new iPad models released in May 2024.

Updates for version 10.5.6

Published: March 25, 2024

In this release, we made the following changes:

Bug fixes.

Updates for version 10.5.5

Published: February 24, 2024

In this release, we made the following changes:

Fixed accessibility issues.

Bug fixes.

７ Note

As of this release, only iOS 16 and iPadOS 16 and later are supported.

Updates for version 10.5.4

Published: December 18, 2023

In this release, we made the following changes:

Fixed theming update issues on iOS 17.

Addressed pop-up sheet layout bugs on iOS 17.
 Sorted out daylight savings time issues for time zone redirection scenarios.
Repositioned the search box so that it's no longer clipped by the Dynamic Island
on iPhone.
Added support for camera redirection on an iPhone or iPad in portrait orientation.
Resolved an issue where when you go to Settings > Display to view the resolution
list, the list didn't update when you changed the orientation.
Added support for USB-C on iPhone 15 to enable native resolutions when you
connect the device to an external display.
Added watermarking support for Azure Virtual Desktop.

７ Note

There is no version 10.5.3.

Updates for version 10.5.2

Published: October 24, 2023

In this release, we made the following changes:

Added support for dual monitors when using iPads with Stage Manager.
Addressed reported accessibility bugs.
Fixed some keyboard mappings that stopped working after the iOS 17 update.

Updates for version 10.5.1

Published: September 5th, 2023

In this release, we made the following changes:

Added support for displaying sessions on an external monitor. You can use this
new feature with iPad and iPhone using AirPlay or a physical cable.
Added support for location redirection. To use this feature, you need access to
your device location, and your session hosts must be running Windows 11 or later.

Updates for version 10.5.0

Published: July 10, 2023

In this release, we made the following changes:

 Fixed an issue with IPv6 address resolution that was blocking connectivity.
Addressed a deadlock that could occur in server redirection scenarios.

Updates for version 10.4.8

Published: June 20, 2023

In this release, we made the following changes:

We changed the connection bar to always start expanded by default. You can
minimize the connection bar by dragging it to a corner of the screen. To return the
connection bar to its regular size, drag it to the center of the screen.
You can now dismiss all in-app messages by swiping downwards.
Fixed an issue that caused graphics to look distorted in Lock to Landscape mode.

Updates for version 10.4.7

Published: May 17, 2023

In this release we made some tweaks around the behavior of the connection bar on
iPads and fixed some bugs to keep things running smoothly.

We made the following changes to the iPad connection bar:

We fixed an issue that caused the connection bar to get stuck under the Stage
Manager ellipsis menu.
The connection bar will now be docked on the right side of the screen when you
turn your iPad on. The iOS client will also save the position you dock your screen in
across all your iPad and iPhone devices.
We moved the Add a PC or Workspace button to the center of the toolbar at the
bottom of the screen.

We also made the following other changes:

Fixed an issue where session rotation wasn't working on iOS 16.

Resolved an issue where the search box in the Connection Center went out of
focus when the user tried entering characters.
Improved audio rendering for low-bandwidth scenarios.

Updates for version 10.4.6

Published: March 7, 2023
In this release, we removed the global prompt for camera and microphone access when
you first open and run the iOS client. Instead, whenever a connection bookmark or
published resource requests access, you'll receive a prompt asking whether you want to
give permission.

We also fixed some bugs and added some small additional features:

Integrated privacy statement compliance flows for select geographical regions.

Added functionality to delete all Azure Virtual Desktop workspaces and associated
keychain items.
Worked around an iOS 16 change that broke Korean language input.
Addressed a bug that stopped the Apple Pencil from working when connected to
Windows 8.1 and Windows Server 2012 R2 and earlier.

７ Note

As of this release, only iOS 15 and iPadOS 15 and later are supported.

Updates for version 10.4.5

Published: November 2, 2022

In this release, we made the following changes:

Fixed a WebSocket transport bug that affected some Azure Virtual Desktop
deployments
Addressed accessibility compliance issues.

Updates for version 10.4.4

Published: October 4, 2022

In this release, we made targeted bug fixes and performance improvements, and also
added new features. Here's what we included:

You can now use Apple Pencil to draw, write, and interact with remote sessions.
You can now see a live preview of the current active session when switching to the
Connection Center from a remote session.
Gather logs for troubleshooting by going to Settings > Troubleshooting.
Review app highlights from previous versions by going to Settings > About >
Version Highlights.
We made some small appearance changes to the connection bar user interface.
 We fixed issues that affected locking to landscape or portrait on iOS 16.

Updates for version 10.4.3

Published: August 11, 2022

In this release, we resolved a customer bug that impacted authentication when

connecting to Azure Virtual Desktop deployments.

Updates for version 10.4.2

Published: July 11, 2022

In this release, we resolved some bugs that impacted Azure Virtual Desktop deployment
connectivity. We also fixed an issue that caused external keyboard input to stop working
when you press Command+Tab to switch out of and return to the app.

Updates for version 10.4.1

Published: June 27, 2022

In this release, we added thumbnail snapshots for published PC resources to the

Workspaces tab of the Connection Center. We also created an in-app highlights user
interface (UI) to advertise new features. The UI automatically appears when you first turn
your machine on after an update. You can also access it by going to Settings > About >
Version Highlights. Finally, we fixed an issue where the mouse cursor would temporarily
get stuck at the bottom of the screen.

Updates for version 10.4.0 (5155)

Published: May 17, 2022

This is a significant update with some new feature additions and lots of bug fixes and
improvements.

The biggest change in this release is that you can now dynamically change the
orientation of the remote session to either landscape or portrait mode while connected
to a machine running Windows 8.1, Windows Server 2012 R2 or later. You can set your
orientation preferences in Settings > Display.
To work seamlessly with dynamic orientation, we made updates to the following
experiences:

The in-session immersive switcher has a revamped look and feel, and can
accommodate both landscape and portrait orientation.
The on-screen keyboard has been redesigned to support portrait orientation.
The connecting UI now supports for both landscape and portrait orientation.
The PC tab of the connection center now supports high-resolution thumbnails and
portrait snapshots.

In addition, we’ve made the following improvements:

Reworked the connection center to apply a consistent set of margins throughout

the UI.
Added the Shift-Command-Space key combo to toggle the visibility of the
connection bar.
Added the Command-Plus sign (+) and Command-Minus sign (-) key combos to
zoom in and out respectively.
Fixed RemoteApp resource launch and reconnect scenarios.
Updated the client to send the correct physical dimensions for the iPad Mini 6.
Added the username to PC bookmark thumbnails.
Updated the in-session connection bar to fade back after three seconds if you
minimize it.
Added support for smooth scrolling in the connection center on ProMotion-
compatible iPhones and iPads.

We also made some updates to enhance Azure Virtual Desktop scenarios:

Integrated the Microsoft Authentication Library (MSAL) or OneAuth component to

improve current and future authentication scenarios.
Added eTag support to speed up Azure Virtual Desktop workspace refresh.

７ Note

This release removes support for iOS 13 and is only compatible with iOS 14 and 15.

Updates for version 10.3.6 (5090)

Published: November 11, 2021

In this release we added support for the iPad Mini 6 and addressed an issue with Slide
Over windows and keyboard interaction. Thanks for all the feedback. We're working
hard to make this app great!

Updates for version 10.3.5

Published: October 28, 2021

In this release, we added support for time zone redirection. This new feature fixes an
issue in Windows 11 remote sessions that caused the screen to flicker, making the
session unusable.

Updates for version 10.3.1

Published: June 28, 2021

In this release, we worked around a 0x907 (mismatched certificate) error code that was
caused by third-party infrastructure returning an incorrect certificate in redirection
scenarios. We also made some updates to improve compatibility and performance
metrics when connecting to Azure Virtual Desktop (formerly known as Windows Virtual
Desktop).

Updates for version 10.3.0

Published: May 27, 2021*

In this release, we made some significant updates to the shared underlying code that
powers the Remote Desktop experience across all our clients. We also added some new
features and addressed bugs and crashes that were showing up in error reporting.

You can now drag IME candidate window in the client.

Integrated Kerberos support in the CredSSP security protocol sequence.
Added support for HTTP proxies in Azure Virtual Desktop and on-premises
scenarios.
Made updates to improve interoperability with current and upcoming features in
the Azure Virtual Desktop service.

Updates for version 10.2.5

Published: 03/29/2021

In this release, we made the following updates:

 Fixed NETBIOS name resolution on iOS 14.
Updated the app to proactively request local network access to enable connections
to PCs around you.
Fixed an issue where an RD Gateway connection would fail with a 0x3000064 error
code.
Fixed a bug where workspace discovery and download would fail if the port
number was included in HTTP GET requests.
Added examples of PC host names to the PC Name page in the Add/Edit PC UX.
Addressed some VoiceOver accessibility issues.

Updates for version 10.2.4

Published: 02/01/2021

In this release, we made the following changes to the connection bar and in-session
user experience:

You can now collapse the connection bar by moving it into one of the four corners
of the screen.
On iPads and large iPhones you can dock the connection bar to the left or right
edge of the screen.
You can now see the zoom slider panel by pressing and holding the connection
bar magnification button. The new zoom slider controls the magnification level of
the session in both touch and mouse pointer mode.

We also addressed some accessibility bugs and the following two issues:

The client now validates the PC name in the Add/Edit PC UI to make sure the name
doesn't contain illegal characters.
Addressed an issue where the UI would stop resolving a workspace name during
subscription.

Updates for version 10.2.3

Published: 12/15/2020

In this release, we fixed issues that caused crashes and interfered with the "Display
Zoom View" setting. We also tweaked the "Use Full Display" setting to only appear on
applicable iPads and adjusted the available resolutions for iPhones and iPads.

Updates for version 10.2.2

Published: 11/23/2020

In this release, we addressed some bugs affecting users running iOS 14 and iPadOS 14.

Updates for version 10.2.1

Published: 11/11/2020

In this release, we made the following fixes:

Added support for newly released iPhone and iPad devices.

Addressed an issue where the client would return a 0x30000066 error when
connecting using an RD Gateway server.

Updates for version 10.2.0

Published: 11/06/2020

In this release, we addressed some compatibility issues with iOS and iPadOS 14. In
addition, we made the following fixes and feature updates:

Addressed crashes on iOS and iPadOS 14 that happened when entering input on
keyboard.
Added the Cmd+S and Cmd+N shortcuts to access the "Add Workspace" and
"Add PC" processes, respectively.
Added the Cmd+F shortcut to invoke Search UI in the Connection Center.
Added the "Expand All" and "Collapse All" commands to the Workspaces tab.
Resolved a bug that caused a 0xD06 protocol error to happen while running
Outlook as a RemoteApp.
The on-screen keyboard will now disappear when you scroll through search results
in the Connection Center.
Updated the animation used when hovering over workspace icons with a mouse or
trackpad pointer on iPadOS 14.

Updates for version 10.1.4

Published: 11/06/2020

We put together some bug fixes and small feature updates for this release. Here's what's
new:
 Addressed an issue where the client would report a 0x5000007 error message
when trying to connect to an RD Gateway server.
User account passwords updated in the credential UI are now saved after
successfully signing in.
Addressed an issue where range and multi-select with the mouse or trackpad
(Shift+click and Ctrl+click) didn't work consistently.
Addressed a bug where apps displayed in the in-session switcher UI were out of
sync with the remote session.
Made some cosmetic changes to the layout of Connection Center workspace
headers.
Improved visibility of the on-screen keyboard buttons for dark backdrops.
Fixed a localization bug in the disconnect dialog.

Updates for version 10.1.3

Published: 11/06/2020

We put together some bug fixes and feature updates for this release. Here's what's new:

The input mode (Mouse Pointer or Touch mode) is now global across all active PC
and RemoteApp connections.
Fixed an issue that prevented microphone redirection from working consistently.
Fixed a bug that caused audio output to play from the iPhone earpiece instead of
the internal speaker.
The client now supports automatically switching audio output between the iPhone
or iPad internal speakers, bluetooth speakers, and AirPods.
Audio now continues to play in the background when switching away from the
client or locking the device.
The input mode automatically switches to Touch mode when using a SwiftPoint
mouse on iPhones or iPads (not running iPadOS, version 13.4 or later).
Addressed graphics output issues that occurred when the server was configured to
use AVC444 full screen mode.
Fixed some VoiceOver bugs.
Panning around a zoomed in session works when using an external mouse or
trackpad now works differently. To pan in a zoomed-in session with an external
mouse or trackpad, select the pan knob, then drag your mouse cursor away while
still holding the mouse button. To pan around in Touch mode, press on the pan
knob, then move your finger. The session will stick to your finger and follow it
around. In Mouse Pointer mode, push the virtual mouse cursor against the sides of
the screen.
Updates for version 10.1.2
Published 8/17/2020

In this update, we addressed issues that were reported in this release.

Fixed a crash that occurred for some users when subscribing to an Azure Virtual
Desktop feed using non-brokered authentication.
Fixed the layout of workspace icons on the iPhone X, iPhone XS, and iPhone 11
Pro.

Updates for version 10.1.1

Published: 11/06/2020

Here’s what we included in this release:

Fixed a bug that prevented typing in Korean.

Added support for F1 through F12, Home, End, PgUp and PgDn keys on hardware
keyboards.
Resolved a bug that made it difficult to move the mouse cursor to the top of the
screen in letterboxed mode on iPadOS devices.
Addressed an issue where pressing backspace after space deleted two characters.
Fixed a bug that caused the iPadOS mouse cursor to appear on top of the Remote
Desktop client mouse cursor in "Tap to Click" mode.
Resolved an issue that prevented connections to some RD Gateway servers (error
code 0x30000064).
Fixed a bug that caused the mouse cursor to be shown in the in-session switcher
UI on iOS devices when using a SwiftPoint mouse.
Resized the RD client mouse cursor to be consistent with the current client scale
factor.
The client now checks for network connectivity before launching a workspace
resource or PC connection.
Hitting the remapped Escape button or Cmd+. now cancels out of any credential
prompt.
We added some animations and polish that appear when you move the mouse
cursor around on iPads running iPadOS 13.4 or later.

Updates for version 10.1.0

Published: 11/06/2020
In this release, we made the following changes:

If you're using iPadOS 13.4 or later, can now control the remote session with a
mouse or trackpad.
The client now supports the following Apple Magic Mouse 2 and Apple Magic
Trackpad 2 gestures: left-click, left-drag, right-click, right-drag, horizontal and
vertical scrolling, and local zooming.
For external mice, the client now supports left-click, left-drag, right-click, right-
drag, middle-click, and vertical scrolling.
The client now supports keyboard shortcuts that use Ctrl, Alt, or Shift keys with the
mouse or trackpad, including multi-select and range-select.
The client now supports the "Tap-to-Click" feature for the trackpad.
We updated the Mouse Pointer mode's right-click gesture to press-and-hold (not
press-and-hold-and-release). On the iPhone client we added taptic feedback when
we detect the right-click gesture.
Added an option to disable NLA enforcement under iOS Settings > RD Client.
Mapped Control+Shift+Escape to Ctrl+Shift+Esc, where Escape is generated using
a remapped key on iPadOS or Command+.
Mapped Command+F to Ctrl+F.
Fixed an issue where the SwiftPoint middle mouse button didn't work in iPadOS
version 13.3.1 or earlier and iOS.
Fixed some bugs that prevented the client from recognizing the "rdp:" URI.
Addressed an issue where the in-session Immersive Switcher UI showed outdated
app entries if a disconnect was server-initiated.
The client now supports the Azure Resource Manager-integrated version of Azure
Virtual Desktop.

Updates for version 10.0.7

Published: 4/29/2020

In this update we added the ability to sort the PC list view (available on iPhone) by name
or time last connected.

Updates for version 10.0.6

Published: 3/31/2020

In this release, we made the following changes:

Fixed a number of VoiceOver accessibility issues.

 Fixed an issue where users couldn't connect with Turkish credentials.
Sessions displayed in the switcher UI are now ordered by when they were
launched.
Selecting the Back button in the Connection Center now takes you back to the last
active session.
Swiftpoint mice are now released when switching away from the client to another
app.
Improved interoperability with the Azure Virtual Desktop service.
Fixed crashes that were showing up in error reporting.

Updates for version 10.0.5

Published: 03/09/20

We put together some bug fixes and feature updates for this release. Here's what's new:

Launched RDP files are now automatically imported (look for the toggle in General
settings).
You can now launch iCloud-based RDP files that haven't been downloaded in the
Files app yet.
The remote session can now extend underneath the Home indicator on iPhones
(look for the toggle in Display settings).
Added support for typing composite characters with multiple keystrokes, such as é.
Added support for the iPad on-screen floating keyboard.
Added support for adjusting properties of redirected cameras from a remote
session.
Fixed a bug in the gesture recognizer that caused the client to become
unresponsive when connected to a remote session.
You can now enter App Switching mode with a single swipe up (except when
you're in Touch mode with the session extended into the Home indicator area).
The Home indicator will now automatically hide when connected to a remote
session, and will reappear when you tap the screen.
Added a keyboard shortcut to get to app settings in the Connection Center
(Command + ,).
Added a keyboard shortcut to refresh all workspaces in the Connection Center
(Command + R).
Hooked up the system keyboard shortcut for Escape when connected to a remote
session (Command + .).
Fixed scenarios where the Windows on-screen keyboard in the remote session was
too small.
 Implemented auto-keyboard focus throughout the Connection Center to make
data entry more seamless.
Pressing Enter at a credential prompt now results in the prompt being dismissed
and the current flow resuming.
Fixed a scenario where the client would crash when pressing Shift + Option + Left,
Up, or Down arrow key.
Fixed a crash that occurred when removing a SwiftPoint device.
Fixed other crashes reported to us by users since the last release.

Updates for version 10.0.4

Published: 02/03/20

In this release, we made the following changes:

Confirmation UI is now shown when deleting user accounts and gateways.

The search UI in the Connection Center has been slightly reworked.
The username hint, if it exists, is now shown in the credential prompt UI when
launching from an RDP file or URI.
Fixed an issue where the extended on-screen keyboard would extend underneath
the iPhone notch.
Fixed a bug where external keyboards would stop working after being
disconnected and reconnected.
Added support for the Esc key on external keyboards.
Fixed a bug where English characters appeared when entering Chinese characters.
Fixed a bug where some Chinese input would remain in the remote session after
deletion.
Fixed other crashes reported to us by users since the last release.

Updates for version 10.0.3

Published: 01/16/20

In this release, we made the following changes:

Support for launching connections from RDP files and RDP URIs.
Workspace headers are now collapsible.
Zooming and panning at the same time is now supported in Mouse Pointer mode.
A press-and-hold gesture in Mouse Pointer mode will now trigger a right-click in
the remote session.
Removed force-touch gesture for right-click in Mouse Pointer mode.
 The in-session switcher screen now supports disconnecting, even if no apps are
connected.
Light dismiss is now supported in the in-session switcher screen.
PCs and apps are no longer automatically reordered in the in-session switcher
screen.
Enlarged the hit test area for the PC thumbnail view ellipses menu.
The Input Devices settings page now contains a link to supported devices.
Fixed a bug that caused the Bluetooth permissions UI to repeatedly appear at
launch for some users.
Fixed other crashes reported to us by users since the last release.

Updates for version 10.0.2

Published: 12/20/19

In this release, we made the following changes:

Support for Japanese and Chinese input on hardware keyboards.

The PC list view now shows the friendly name of the associated user account, if
one exists.
The permissions UI in the first-run experience is now rendered correctly in Light
mode.
Fixed a crash that happened whenever someone pressed the Option and Up or
Down arrow keys at the same time on a hardware keyboard.
Updated the on-screen keyboard layout used in the password prompt UI to make
finding the Backslash key easier.
Fixed other crashes reported to us by users since the last release.

Updates for version 10.0.1

Published: 12/15/19

Here's what new in this release:

Support for the Azure Virtual Desktop service.

Updated Connection Center UI.
Updated in-session UI.

Updates for version 10.0.0

Published: 12/13/19
In this release, we made the following changes:

Support for the Azure Virtual Desktop service.

A new Connection Center UI.
A new in-session UI that can switch between connected PCs and apps.
New layout for the auxiliary on-screen keyboard.
Improved external keyboard support.
SwiftPoint Bluetooth mouse support.
Microphone redirection support.
Local storage redirection support.
Camera redirection support (only available for Windows 10, version 1809 or later).
Support for new iPhone and iPad devices.
Dark and light theme support.
Control whether your phone can lock when connected to a remote PC or app.
You can now collapse the in-session connection bar by pressing and holding the
Remote Desktop logo button.

Updates for version 8.1.42

Published: 06/20/2018

In this release, we made the following changes:

Bug fixes and performance improvements.

Updates for version 8.1.41

Published: 03/28/2018

In this release, we made the following changes:

Updates to address CredSSP encryption oracle remediation described in CVE-

2018-0886.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

What's new in the Remote Desktop
client for Android and Chrome OS
Article • 04/11/2024

In this article you'll learn about the latest updates for the Remote Desktop client for
Android and Chrome OS. To learn more about using the Remote Desktop client for
Android and Chrome OS with Azure Virtual Desktop, see Connect to Azure Virtual
Desktop with the Remote Desktop client for Android and Chrome OS and Use features
of the Remote Desktop client for Android and Chrome OS when connecting to Azure
Virtual Desktop.

Latest client versions

The following table lists the current versions available for the public and beta releases:

ﾉ Expand table

Release Latest version Download

Public 10.0.18.1251 Google Play

Beta 10.0.18.1251 Google Play

Updates for version 10.0.18.1251

Published: December 14, 2023

In this release, we made the following changes:

Bug fixes and improvements.

Updates for version 10.0.16.1237

Published: August 14, 2023

In this release, we made the following changes:

Added support for pen redirection.

Azure Virtual Desktop desktop previews are now available.
Display now auto-locks during remote session when setting is enabled.
 RDS connections now support Azure Active Directory authentication.
Private Link is now supported.
Reconnect dialog now available for RDS sessions when they're locked.
Search is now supported in PCs and Workspaces tabs.
Bug fixes and improvements.

Updates for version 10.0.15.1207

Published: October 31, 2022

In this release, we made the following changes:

Added support for camera redirection.

Bug fixes and improvements.

Updates for version 10.0.14.1182

Published: June 13, 2022

In this release, we made the following changes:

Bug fixes and improvements.

App localized into 16 languages.

Updates for version 10.0.13.1174

Published: February 22, 2022

In this release, we made the following changes:

Client-side time zone redirection.

HTTP proxy support.
Fixed an issue where input from the ENTER key was sent twice when using IME on
Samsung devices.
Updates to improve Azure Virtual Desktop connection reliability and performance.
UI fixes and fine-tuning.
Enhanced Chromebook experience:
Windowed mode support.
Support for launching connections in separate windows.
​High DPI support.
Addressed Chromebook compatibility bugs.
Minimum required version of Android is now Android 9.
Updates for version 10.0.12.1148
Published: December 15, 2021

In this release, we made the following changes:

We made an in-session UI that switches between workspaces and PCs.

Updated language support for Input Method Editors (IME) and external keyboards.
Added support for Azure Virtual Desktop workspace subscriptions that use
multiple identities for the same URL.
We added a warning message that says you shouldn't use the RD Gateway for local
addresses.
Added support for the NumLock and ScrLock keys on external keyboards.
Fixed bugs that appeared in dark mode.
The minimum required version of Android is now Android 8.

Updates for version 10.0.11

Published: July 13, 2021

In this release, we made the following changes:

Bug fixes and performance improvements.

Updates for version 10.0.10

Published: 3/24/2021

In this release, we made the following changes:

Added support for client-side IMEs when using built-in and onscreen keyboards.
Added a prompt for credentials when subscribing to a workflow.
Improved Azure Virtual Desktop workspace download performance to prevent
throttling.
Fixed an issue where incorrect command icons would appear in the UI.

Updates for version 10.0.9

Published: 2/2/2021

In this release, we made the following changes:

 Support for dark mode on Android 10 and later.
Fixed clipboard redirection synchronization issues.
Added clipboard redirection to the Add/Edit PC UI.
The Android client now supports the DEL key on external keyboards.
Fixed a bug that caused workspace URL auto-complete to stop responding.
Addressed keyboard and screen reader-related accessibility bugs.
Addressed reliability issues identified by user reports.

Updates for version 10.0.8

Published: 12/04/2020

In this release, we made the following changes:

Client now supports microphone redirection.

New UI for subscribing to and editing workspaces.
Cleaned up existing UI throughout the client.
Fixed Samsung DeX keyboard input.
Addressed an issue where clients would report a 0x5000007 error when connecting
using an RD Gateway server.
Addressed several reliability issues identified by users through crash reporting.
Minimum required version of Android is now Android 6.
Fixed an issue where the client stopped responding while saving a file to redirected
storage.

Updates for version 10.0.7

Date Published: 07/24/2020

In this release, we made the following changes:

Implemented full support for Azure Virtual Desktop.

Rewrote the client to use the same underlying RDP core engine as the iOS and
macOS clients.
New Connection Center experience.
New Connection Progress UI.
New in-session Connection Bar.
Added support for Android TV devices.
Integration with Microsoft Authenticator to enable conditional access when
subscribing to Azure Virtual Desktop feeds.
Enabled the transfer of connections and settings from Remote Desktop 8.
Updates for version 8.1.80
Date Published: 05/26/2020

In this release, we made the following changes:

Changed the client icon to distinguish it from the new client currently in preview.
Prepared the client to support settings and connections transfer to the new client.

Updates for version 8.1.79

Published: 03/24/2020

In this release, we made the following change:

Fixed an issue where barcode scanners didn't work.

Updates for version 8.1.77

Published: 02/11/2020

In this release, we made the following change:

Improved accessibility for users of keyboard-only navigation.

What's new in the Remote Desktop
WebRTC Redirector Service
Article • 08/21/2024

This article provides information about the latest updates to the Remote Desktop
WebRTC Redirector Service for Teams for Azure Virtual Desktop, which you can
download at Remote Desktop WebRTC Redirector Service .

Latest available version

The following table shows the latest available version of the Remote Desktop WebRTC
Redirector Service.

ﾉ Expand table

Release Latest version Download

Public 1.54.2408.19001 MSI Installer

Updates for version 1.54.2408.19001

Published: August 21, 2024

Download: MSI Installer

In this release, we made the following changes:

Fixed an issue where video streams may sometimes not appear.

Updates for version 1.54.2407.26001

Published: July 29, 2024

Download: MSI Installer

In this release, we made the following changes:

Fixed an Outlook Window Sharing Privacy issue to correctly stop window sharing
when the shared window is closed.
Fixed a freeze issue that occurred when starting screen sharing in GCCH.
Improved the video encoding adjustments for smoother streams.
Updates for version 1.50.2402.29001
Published: March 25, 2024

Download: MSI Installer

In this release, we made the following changes:

Fixed an issue that caused Teams audio to not apply remote volume changes or
mute when using the new Teams client.
Fixed an issue that caused Teams to stop responding when the user tries to use the
Give/Take Control feature after sharing their screen through chat.
Fixed an issue that caused users to be able to control hidden window regions while
application window sharing when using the Give/Take Control feature.

Updates for version 1.45.2310.13001

Published: November 15, 2023

Download: MSI Installer

In this release, we've made the following change:

Added support for Teams optimization reinitialization upon virtual machine (VM)
hibernate and resume.

Updates for version 1.43.2306.30001

Published: September 7, 2023

Download: MSI Installer

In this release, we've made the following changes:

If a user is sharing a PowerPoint edit window then selects Present, the shared
window will automatically switch to the PowerPoint presentation window.
Improved WebRTC redirector service reliability and performance handling.
Fixed an issue where the diagnostic overlay hotkey ( Ctrl + Shift + ; ) caused
hotkeys to be disabled for non-Teams applications during Teams calls.
Fixed an issue where a race condition caused a loss of audio during Teams calls.

Updates for version 1.33.2302.07001

Published: March 1, 2023

In this release, we've made the following change:

Support for non-Latin characters for window names in the application window
share tray.

Updates for version 1.31.2211.15001

Published: January 19, 2023

In this release, we've made the following changes:

Support for application window sharing for Windows users.

Support for Give and Take Control functionality for macOS users.
Latency and performance improvements for Give and Take Control on Windows.
Improved screen share performance.

Updates for version 1.17.2205.23001

Published: June 20, 2022

In this release, we've made the following changes:

Fixed an issue that made the WebRTC redirector service disconnect from Teams on
Azure Virtual Desktop.
Added keyboard shortcut detection for Shift+Ctrl+; that lets users turn on a
diagnostic overlay during calls on Teams for Azure Virtual Desktop. This feature is
supported in version 1.2.3313 or later of the Windows Desktop client.
Added further stability and reliability improvements to the service.

Updates for version 1.4.2111.18001

Published: December 2, 2021

In this release, we've made the following changes:

Fixed a mute notification problem.

Multiple z-ordering fixes in Teams on Azure Virtual Desktop and Teams on
Microsoft 365.
Removed timeout that prevented the WebRTC redirector service from starting
when the user connects.
Fixed setup problems that prevented side-by-side installation from working.
Updates for version 1.1.2110.16001
Published: October 15, 2021

In this release, we've made the following changes:

Fixed an issue that caused the screen to turn black while screen sharing. If you've
been experiencing this issue, confirm that this update will resolve it by resizing the
Teams window. If screen sharing starts working again after resizing, the update will
resolve this issue.
You can now control the meeting, ringtone, and notification volume from the host
VM. You can only use this feature with version 1.2.2459 or later of the Windows
Desktop client.
The installer will now make sure that Teams is closed before installing updates.
Fixed an issue that prevented users from returning to full screen mode after
leaving the call window.

Updates for version 1.0.2106.14001

Published: July 29, 2021

In this release, we've made the following change:

Increased the connection reliability between the WebRTC redirector service and the
WebRTC client plugin.

Updates for version 1.0.2006.11001

Published: July 28, 2020

In this release, we've made the following changes:

Fixed an issue where minimizing the Teams app during a call or meeting caused
incoming video to drop.
Added support for selecting one monitor to share in multi-monitor desktop
sessions.

Next steps
Learn more about how to set up Teams on Azure Virtual Desktop at Use Microsoft
Teams on Azure Virtual Desktop.
Learn about known issues, limitations, and how to log issues at Troubleshoot Teams on
Azure Virtual Desktop.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

What's new in Windows App
Article • 11/20/2024

This article details information about the latest updates for Windows App for Windows,
macOS, iOS and iPadOS, and web browsers.

To learn how to connect to Azure Virtual Desktop, Windows 365, Microsoft Dev Box,
Remote Desktop Services, and a remote PC, see Get started with Windows App.

Select a tab for the platform you're using.

Windows

Here's what's new in Windows App for Windows.

Latest release
The following table lists the current versions available:

ﾉ Expand table

Release Latest Download Minimum

version supported
version

Public 2.0.297.0 Download Windows App from the Microsoft Store . 2.0.297.0
To learn more, see Get started with Windows App.

You can download Windows App outside of the

Microsoft Store from the following links:

Windows 64-bit
Windows 32-bit
Windows Arm64

By downloading Windows App, you agree to the

license (see https://aka.ms/WindowsAppLicense )
and privacy terms (see https://aka.ms/privacy ).

Insider 2.0.317.0 Download Windows App from the Microsoft Store . 2.0.297.0
To learn more, see Get started with Windows App.

） Important
 Administrators: you won't receive automatic updates at this time when
downloading Windows App from the direct links in environments where the
Microsoft Store is blocked. To update Windows App to new versions, return to
this article to and use the same direct links.

 Tip

The rollout of an update is phased over the course of a week, so some users
might receive the update later than others.

Version 2.0.317.0 (Insider)

Date published: November 12, 2024

Improved start up time of Windows App.

Added list of graphics codecs to the Connection Information dialog.
Fixed an issue where the bottom portion of the Windows Authentication
dialog could be cut off when connected to a RemoteApp.
Fixed an issue where the Connection Information dialog showed the lowest
round-trip time (RTT) instead of average RTT.

７ Note

This version replaced the Insider version 2.0.304.0. Changes noted above
reflect all changes for these versions.

Version 2.0.297.0
Date published: October 8, 2024

Fixed an issue for CVE-2024-43533 .

Support for Windows 365 connections in GCC High environment.
Multimedia redirection call redirection is now generally available.

Version 2.0.294.0
Date published: September 24, 2024

Improved Windows App performance and reliability.

Version 2.0.285.0
Date published: September 19, 2024

Experience improvements:
Support for Windows 365 connections in GCC environment.
Removed the preview toggle, which prevents switching back to the
previous Windows 365 user interface.
Show the underlying client version number in Windows App settings.
Made an improvement where a new session windows don't become the
focused window.

Fixes:
Fixed an authentication error when switching accounts in which a user gets
stuck if they're prompted for interactive sign in and don't remember their
password.
Fixed a tooltip not showing for the close button in the Pin to taskbar dialog
box.
Fixed the refresh of remote resources taking a long time.
Fixed a bug to ensure that the screen mode ID setting in the underlying
.rdp file is honored.

Fixed an issue where Microsoft Teams rendered into the wrong window
when multiple remote session windows are open.
Fixed an issue where Windows App crashed for users who have Windows N
SKUs without the media framework.
Addressed an issue that reduces the chance of encountering the error Low
virtual memory on reconnect attempts.

Version 1.3.278.0
Date published: August 26, 2024

Experience improvements:
There's now a button to refresh your resources on the Devices and Apps
tabs, and also on the Home tab when there are pinned resources.
Added an option to view the Devices and Apps tabs in list view or grid
view.
Improved the discoverability of display settings when default settings are
used.
Stability and security improvements for printer redirection.
Improved the experience for single sign-on (SSO) lock screen dialogs.
 Fixes:
Fixed an issue with SSO login failure.
Fixed an issue that caused Windows App to crash on disconnect.
Fixed an issue where Windows App didn't restart after installing updates.
Fixed an issue where Windows App crashed when double clicking on the
Pin to Taskbar Cloud PC icon.

Version 1.3.272.0
Date published: August 14, 2024

Fixed an issue for CVE-2024-38131 .

Version 1.3.264.0
Date published: July 13, 2024

Improved usability of the connection bar by reducing the amount of time it

displays on the screen after the mouse moves away.
Improved the graphics presentation latency.
Fixed an issue where incorrect content displayed when hovering over the
minimize button in the taskbar.
Fixed incorrect translations for Try Windows App dialog.
Fixed an issue where a minimized RemoteApp window maximizes when the
lock screen timer runs out for a RemoteApp session.
Fixed an issue where the client crashed when a session is disconnected.
Fixed an issue where the client crashed when responding to an incoming
Microsoft Teams call.

Version 1.3.259.0
Date published: July 3, 2024

Fixed an issue where Windows App crashes when it can't access certain
required endpoints.

Version 1.3.252.0
Date published: May 21, 2024

Improved the task view disconnect experience.

 Fixed an issue that caused RemoteApp windows to appear stretched.
Fixed an issue with the account switcher only showing two accounts when
Windows App starts up.
Fixed Windows App crashing when there's no internet connection.

Version 1.3.241.0
Date published: April 8, 2024

Fixed an issue where Windows App would crash when there was no network
connection.
Improved error messages for Windows 365 Boot.
Added support for automatic retry/reconnect in Windows 365 Boot when the
device goes to sleep, or with other disconnections.
Fixed an issue that caused an Azure Virtual Desktop RemoteApp window to
appear stretched.
Introduced a countdown timer on the Windows 365 Boot interstitial screen
that closes Windows App when it reaches zero.
Improved client logging, diagnostics, and error classification to help
administrators troubleshoot connection and feed issues.

Version 1.3.233.0
Date published: March 1, 2024

Users can now remove accounts from the account switcher.

Fixed an issue with Windows 365 Frontline Cloud PC connections timing out.
Support for the new VDI solution for Microsoft Teams. To learn more, see
Microsoft 365 Roadmap .

Version 1.3.212.0
Date published: January 22, 2024

In-app updates and update availability notifications.

User interface bug fixes and improvements.
Accessibility bug fixes and improvements.

Version 1.3.205.0
 Date published: November 24, 2023

On the account sign-in screen, we've clarified that you can sign-in with work
or school accounts.
Minor updates to the user interface.

Version 1.3.204.0
Date published: November 15, 2023

Initial release.

Feedback
Was this page helpful?  Yes  No
Tutorial: Deploy a sample Azure Virtual
Desktop infrastructure with a Windows
11 desktop
Article • 10/26/2023

Azure Virtual Desktop enables you to access desktops and applications from virtually
anywhere. This tutorial shows you how to deploy a Windows 11 Enterprise desktop in
Azure Virtual Desktop using the Azure portal and how to connect to it. To learn more
about the terminology used for Azure Virtual Desktop, see Azure Virtual Desktop
terminology and What is Azure Virtual Desktop?

You'll deploy a sample infrastructure by:

＂ Creating a personal host pool.

＂ Creating a session host virtual machine (VM) joined to your Microsoft Entra tenant
with Windows 11 Enterprise and add it to the host pool.
＂ Creating a workspace and an application group that publishes a desktop to the
session host VM.
＂ Assigning users to the application group.
＂ Connecting to the desktop.

 Tip

This tutorial shows a simple way you can get started with Azure Virtual Desktop. It
doesn't provide an in-depth guide of the different options and you can't publish a
RemoteApp in addition to the desktop. For a more in-depth and adaptable
approach to deploying Azure Virtual Desktop, see Deploy Azure Virtual Desktop,
or for suggestions of what else you can configure, see the articles we list in Next
steps.

Prerequisites
You need:

An Azure account with an active subscription. If you don't have an Azure

subscription, create a free account before you begin.

The Azure account must be assigned the following built-in role-based access
control (RBAC) roles as a minimum on the subscription, or on a resource group. For
 more information, see Assign Azure roles using the Azure portal. If you want to
assign the roles to a resource group, you need to create this first.

ﾉ Expand table

Resource type RBAC role

Host pool, workspace, and application group Desktop Virtualization Contributor

Session hosts Virtual Machine Contributor

Alternatively if you already have the Contributor or Owner RBAC role, you're
already able to create all of these resource types.

A virtual network in the same Azure region you want to deploy your session hosts
to.

A user account in Microsoft Entra ID you can use for connecting to the desktop.
This account must be assigned the Virtual Machine User Login or Virtual Machine
Administrator Login RBAC role on the subscription. Alternatively you can assign the
role to the account on the session host VM or the resource group containing the
VM after deployment.

A Remote Desktop client installed on your device to connect to the desktop. You
can find a list of supported clients in Remote Desktop clients for Azure Virtual
Desktop. Alternatively you can use the Remote Desktop Web client, which you can
use through a supported web browser without installing any extra software.

Create a personal host pool, workspace,

application group, and session host VM
To create a personal host pool, workspace, application group, and session host VM
running Windows 11:

1. Sign in to the Azure portal .

2. In the search bar, type Azure Virtual Desktop and select the matching service entry.

3. From the Azure Virtual Desktop overview page, select Create a host pool.

4. On the Basics tab, complete the following information:

ﾉ Expand table
 Parameter Value/Description

Project details

Subscription Select the subscription you want to deploy your host pool, session hosts,
workspace, and application group in from the drop-down list.

Resource group Select an existing resource group or select Create new and enter a name.

Host pool name Enter a name for the host pool, for example hp01.

Location Select the Azure region from the list where you want to create your host
pool, workspace, and application group.

Validation Select No. This setting enables your host pool to receive service updates
environment before all other production host pools, but isn't needed for this tutorial.

Preferred app Select Desktop. With this personal host pool, you publish a desktop, but
group type you can't also add a RemoteApp application group for the same host
pool to also publish applications. See Next steps for more advanced
scenarios.

Host pool type

Host pool type Select Personal. This means that end users have a dedicated assigned
session host that they always connect to. Selecting Personal shows a new
option for Assignment type.

Assignment Select Automatic. Automatic assignment means that a user automatically

type gets assigned the first available session host when they first sign in,
which is then dedicated to that user.

Once you've completed this tab, select Next: Virtual Machines.

5. On the Virtual machines tab, complete the following information:

ﾉ Expand table

Parameter Value/Description

Add Azure virtual Select Yes. This shows several new options.
machines

Resource group This automatically defaults to the resource group you chose your
host pool to be in on the Basics tab.

Name prefix Enter a name for your session hosts, for example hp01-sh.

This name prefix is used as the prefix for your session host VMs. Each
session host has a suffix of a hyphen and then a sequential number
added to the end, for example hp01-sh-0.
Parameter Value/Description

The prefix can be a maximum of 11 characters and is used in the

computer name in the operating system. The prefix and the suffix
combined can be a maximum of 15 characters. Session host names
must be unique.

Virtual machine Select the Azure region where you want to deploy your session host
location VMs. It must be the same region that your virtual network is in.

Availability options Select No infrastructure redundancy required. This means that your
session host VMs aren't deployed in an availability set or in
availability zones.

Security type Select Trusted launch virtual machines. Leave the subsequent
defaults of Enable secure boot and Enable vTPM checked, and
Integrity monitoring unchecked. For more information, see Trusted
launch.

Image Select Windows 11 Enterprise, version 23H2.

Virtual machine size Accept the default SKU. If you want to use a different SKU, select
Change size, then select from the list.

Number of VMs Enter 1 as a minimum. You can deploy up to 500 session host VMs at
this point if you wish, or you can add more separately.

With a personal host pool, each session host can only be assigned to
one user, so you need one session host for each user connecting to
this host pool. Once you've completed this tutorial, you can create a
pooled host pool, where multiple users can connect to the same
session host.

OS disk type Select Premium SSD for best performance.

Boot Diagnostics Select Enable with managed storage account (recommended).

Network and
security

Virtual network Select your virtual network and subnet to connect session hosts to.

Network security Select Basic.

group

Public inbound Select No as you don't need to open inbound ports to connect to
ports Azure Virtual Desktop. Learn more at Understanding Azure Virtual
Desktop network connectivity.

Domain to join
 Parameter Value/Description

Select which Select Microsoft Entra ID.

directory you
would like to join

Enroll VM with Select No.

Intune

Virtual Machine
Administrator
account

Username Enter a name to use as the local administrator account for these
session host VMs.

Password Enter a password for the local administrator account.

Confirm password Reenter the password.

Custom
configuration

Custom Leave this blank.

configuration script
URL

Once you've completed this tab, select Next: Workspace.

6. On the Workspace tab, complete the following information:

ﾉ Expand table

Parameter Value/Description

Register desktop app Select Yes. This registers the default desktop application group to
group the selected workspace.

To this workspace Select Create new and enter a name, for example ws01.

Once you've completed this tab, select Next: Review + create. You don't need to
complete the other tabs.

7. On the Review + create tab, ensure validation passes and review the information
that is used during deployment. If validation doesn't pass, review the error
message and check what you entered in each tab.

8. Select Create. A host pool, workspace, application group, and session host are
created. Once your deployment is complete, select Go to resource to go to the
 host pool overview.

9. Finally, from the host pool overview, select Session hosts and verify the status of
the session hosts is Available.

Assign users to the application group

Once your host pool, workspace, application group, and session host VM(s) have been
deployed, you need to assign users to the application group that was automatically
created. After users are assigned to the application group, they'll automatically be
assigned to an available session host VM because Assignment type was set to Automatic
when the host pool was created.

1. From the host pool overview, select Application groups.

2. Select the application group from the list, for example hp01-DAG.

3. From the application group overview, select Assignments.

4. Select + Add, then search for and select the user account you want to be assigned
to this application group.

5. Finish by selecting Select.

Enable connections from Remote Desktop

clients

 Tip

This section is optional if you're going to use a Windows device to connect to

Azure Virtual Desktop that is joined to the same Microsoft Entra tenant as your
session host VMs and you're using the Remote Desktop client for Windows.

To enable connections from all of the Remote Desktop clients, you need to add an RDP
property to your host pool configuration.

1. Go back to the host pool overview, then select RDP Properties.

2. Select the Advanced tab.

3. In the RDP Properties box, add targetisaadjoined:i:1; to the start of the text in
the box.
 4. Select Save.

Connect to the desktop

You're ready to connect to the desktop. The desktop takes longer to load the first time
as the profile is being created, however subsequent connections are quicker.

） Important

Make sure the user account you're using to connect has been assigned the Virtual
Machine User Login or Virtual Machine Administrator Login RBAC role on the
subscription, session host VM, or the resource group containing the VM, as
mentioned in the prerequisites, else you won't be able to connect.

Select the relevant tab and follow the steps, depending on which Remote Desktop client
you're using. We've only listed the steps here for Windows, Web and macOS, but if you
want to connect using one of our other Remote Desktop clients, see Remote Desktop
clients for Azure Virtual Desktop.

Windows

1. Open the Remote Desktop app on your device.

2. Select the three dots in the top right-hand corner, then select Subscribe with
URL.

3. In the Email or Workspace URL box, enter https://rdweb.wvd.microsoft.com .

After a few seconds, the message We found Workspaces at the following
URLs should be displayed.

4. Select Next.

5. Sign in with the user account you assigned to the application group. After a
few seconds, the workspace should show with an icon named
SessionDesktop.

6. Double-click SessionDesktop to launch a desktop session. You need to enter

the password for the user account again.
Next steps
Now that you've created and connected to a Windows 11 desktop with Azure Virtual
Desktop there's much more you can do. For a more in-depth and adaptable approach to
deploying Azure Virtual Desktop, see Deploy Azure Virtual Desktop, or for suggestions
of what else you can configure, see:

Add session hosts to a host pool.

Publish applications.

User profile management for Azure Virtual Desktop with FSLogix profile containers.

Understand network connectivity.

Learn about supported identities and authentication methods

Set up email discovery to subscribe to Azure Virtual Desktop.

Configure single sign-on for Azure Virtual Desktop using Microsoft Entra
authentication.

Learn about session host virtual machine sizing guidelines.

Use Microsoft Teams on Azure Virtual Desktop.

Monitor your deployment with Azure Virtual Desktop Insights.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Recommendations for deploying Azure
Virtual Desktop for internal or external
commercial purposes
Article • 01/10/2024

You can deploy Azure Virtual Desktop to be tailored to your requirements, depending
on many factors like end-users, the existing infrastructure of the organization deploying
the service, and so on. How do you make sure you meet your organization's needs?

This article provides guidance for your Azure Virtual Desktop deployment structure. The
examples listed in this article aren't the only possible ways you can deploy Azure Virtual
Desktop. However, we do cover two of the most basic types of deployments for internal
or external commercial purposes.

Deploying Azure Virtual Desktop for internal

purposes
If you're making an Azure Virtual Desktop deployment for users inside your
organization, you can host all your users and resources in the same Azure tenant. You
can also use Azure Virtual Desktop's currently supported identity management methods
to keep your users secure.

These components are the most basic requirements for an Azure Virtual Desktop
deployment that can serve desktops and applications to users within your organization:

One host pool to host user sessions

One Azure subscription to host the host pool
One Azure tenant to be the owning tenant for the subscription and identity
management

However, you can also deploy Azure Virtual Desktop with multiple host pools that offer
different applications to different groups of users.

Some customers choose to create separate Azure subscriptions to store each Azure
Virtual Desktop deployment in. This practice lets you distinguish the cost of each
deployment from each other based on the sub-organizations they provide resources to.
Others choose to use Azure billing scopes to distinguish costs at a more granular level.
To learn more, see Understand and work with scopes.
Licensing Azure Virtual Desktop works differently for internal and external commercial
purposes. If you're providing Azure Virtual Desktop access for internal commercial
purposes, you must purchase an eligible license for each user that accesses Azure Virtual
Desktop. You can't use per-user access pricing for internal commercial purposes. To
learn more about the different licensing options, see License Azure Virtual Desktop.

Deploying Azure Virtual Desktop for external

purposes
If your Azure Virtual Desktop deployment serves end-users outside your organization,
especially users that don't typically use Windows or don't have access to your
organization's internal resources, you need to consider extra security recommendations.

Azure Virtual Desktop doesn't currently support external identities, including business-
to-business (B2B) or business-to-client (B2C) users. You need to create and manage
these identities manually and provide the credentials to your users yourself. Users then
use these identities to access resources in Azure Virtual Desktop.

To provide a secure solution to your customers, Microsoft strongly recommends

creating a Microsoft Entra tenant and subscription for each customer with their own
dedicated Active Directory. This separation means you have to create a separate Azure
Virtual Desktop deployment for each organization that's isolated from the other
deployments and their resources. The virtual machines that each organization uses
shouldn't be able to access the resources of other companies to keep information
secure. You can set up these separate deployments by using either a combination of
Active Directory Domain Services (AD DS) and Microsoft Entra Connect or by using
Microsoft Entra Domain Services.

If you're providing Azure Virtual Desktop access for external commercial purposes, per-
user access pricing lets you pay for Azure Virtual Desktop access rights on behalf of
external users. You must enroll in per-user access pricing to build a compliant
deployment for external users. You pay for per-user access pricing through an Azure
subscription. To learn more about the different licensing options, see License Azure
Virtual Desktop.

Next steps
To learn more about licensing Azure Virtual Desktop, see License Azure Virtual
Desktop.
Learn how to Enroll in per-user access pricing.
Understand and estimate costs for Azure Virtual Desktop.
Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Understand and estimate costs for
Azure Virtual Desktop
Article • 01/10/2024

Azure Virtual Desktop costs come from two sources: underlying Azure resource
consumption and licensing. Azure Virtual Desktop costs are charged to the organization
that owns the Azure Virtual Desktop deployment, not the end-users accessing the
deployment resources. Some licensing charges must be paid in advance. Azure meters
track other licenses and the underlying resource consumption charges based on your
usage.

The organization who pays for Azure Virtual Desktop is responsible for handling the
resource management and costs. If the owner no longer needs resources connected to
their Azure Virtual Desktop deployment, they should ensure those resources are
properly removed. For more information, see How to manage Azure resources by using
the Azure portal.

This article explains consumption and licensing costs, and how to estimate service costs
before deploying Azure Virtual Desktop.

Azure resource consumption costs

Azure resource consumption costs are the sum of all Azure resource usage charges that
provide users desktops or apps from Azure Virtual Desktop. These charges come from
the session host virtual machines (VMs), plus resources shared by other products across
Azure that require running more infrastructure to keep the service available, such as
storage accounts, network data egress, and identity management systems.

Session host costs

Session hosts are based on virtual machines (VMs), so the same Azure Compute charges
and billing mechanisms as VMs apply. These charges include the following components:

Virtual machine instance.

Storage for managed disks for the operating system and any extra data disks.
Network bandwidth.

Of the charges for these components, virtual machine instances usually cost the most.
To mitigate compute costs and optimize resource demand with availability, you can use
autoscale to automatically scale session hosts based on demand and time. You can also
use Azure savings plans or Azure reserved VM instances to reduce compute costs.

Identity provider costs

You have a choice of identity provider to use for Azure Virtual Desktop, from Microsoft
Entra ID only, or Microsoft Entra ID in conjunction with Active Directory Domain Services
(AD DS) or Microsoft Entra Domain Services. The following table shows the components
that are charged for each identity provider:

ﾉ Expand table

Identity provider Components charged

Microsoft Entra ID only Free tier available, licensed tiers for some features , such as
conditional access.

Microsoft Entra ID + AD DS Microsoft Entra ID and domain controller VM costs,

including compute, storage, and networking.

Microsoft Entra ID + Microsoft Microsoft Entra ID and Microsoft Entra Domain Services ,
Entra Domain Services

Accompanying service costs

Depending on which features your use for Azure Virtual Desktop, you have to pay for
the associated costs of those features. Some examples might include:

ﾉ Expand table

Feature Associated costs

Azure Virtual Desktop Log data in Azure Monitor . For more information, see Estimate Azure
Insights Virtual Desktop Insights costs.

App attach Application storage, such as Azure Files or Azure NetApp Files .

FSLogix profile User profile storage, such as Azure Files or Azure NetApp Files .
container

Custom image Storage and network costs for managed disks and bandwidth .
templates

Licensing costs
In the context of providing virtualized infrastructure with Azure Virtual Desktop, internal
users (for internal commercial purposes) refers to people who are members of your own
organization, such as employees of a business or students of a school, including external
vendors or contractors. External users (for external commercial purposes) aren't
members of your organization, but your customers where you might provide a
Software-as-a-Service (SaaS) application using Azure Virtual Desktop.

Licensing Azure Virtual Desktop works differently for internal and external commercial
purposes:

If you're providing Azure Virtual Desktop access to internal commercial purposes,

you must purchase an eligible license for each user that accesses Azure Virtual
Desktop.

If you're providing Azure Virtual Desktop access external commercial purposes,

per-user access pricing lets you pay for Azure Virtual Desktop access rights on
behalf of external users. You must enroll in per-user access pricing to build a
compliant deployment for external users. You pay for per-user access pricing
through an Azure subscription.

To learn more about the different options, see License Azure Virtual Desktop.

Estimate costs before deploying Azure Virtual

Desktop
You can use the Azure Pricing Calculator to estimate consumption and per-user
access licensing costs before deploying Azure Virtual Desktop. Here's how to estimate
costs:

1. In a web browser, open the Azure Pricing Calculator .

2. Select the Compute tab to show the Azure Pricing Calculator compute options.

3. Select Azure Virtual Desktop. The Azure Virtual Desktop calculator module should
appear.

4. Enter the values for your deployment into the fields to estimate your monthly
Azure bill based on:

Your expected compute, storage, and networking usage.

Number of users, total hours, and concurrency.
Whether you're using per-user access pricing for external commercial
purposes. If you're licensing for internal commercial purposes, you have to
 factor this license into your total cost estimate separately.
Whether you're using a savings plan or reserved instances.
Level of support.
Other components of your deployment, such as those features listed in
Accompanying service costs.

７ Note

The Azure Pricing Calculator Azure Virtual Desktop module can only estimate
consumption costs for session host VMs and the aggregate additional storage of
any optional Azure Virtual Desktop features requiring storage that you choose to
deploy. Your total cost may also include egress network traffic to Microsoft 365
services, such as OneDrive for Business or Exchange Online. However, you can add
estimates for other Azure Virtual Desktop features in separate modules within the
same Azure Pricing calculator page to get a more complete or modular cost
estimate.

View costs after deploying Azure Virtual

Desktop
Once you deploy Azure Virtual Desktop, you can use Microsoft Cost Management to
view your billing invoices. Users in your organization like billing admins can use cost
analysis tools and find Azure billing invoices through Microsoft Cost Management to
track monthly Azure Virtual Desktop consumption costs under your Azure subscription
or subscriptions. You can also Tag Azure Virtual Desktop resources to manage costs.

If you're using per-user access pricing, costs appear each billing cycle on the Azure
billing invoice for any enrolled subscription, alongside consumption costs and other
Azure charges.

If you Use Azure Virtual Desktop Insights, you can gain a detailed understanding of how
Azure Virtual Desktop is being used in your organization. You can use this information
to help you optimize your Azure Virtual Desktop deployment and reduce costs.

Next steps
Learn how to Licensing Azure Virtual Desktop.
Tag Azure Virtual Desktop resources to manage costs.
Use Azure Virtual Desktop Insights.
Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Licensing Azure Virtual Desktop
Article • 03/01/2024

This article explains the licensing requirements for using Azure Virtual Desktop, whether
you're providing desktops or applications to users in your organization, or to external
users. This article shows you how licensing Azure Virtual Desktop for external
commercial purposes is different than for internal purposes, how per-user access pricing
works in detail, and how you can license other products you plan to use with Azure
Virtual Desktop.

Internal and external commercial purposes

In the context of providing virtualized infrastructure with Azure Virtual Desktop, internal
users (for internal commercial purposes) refers to people who are members of your own
organization, such as employees of a business or students of a school, including external
vendors or contractors. External users (for external commercial purposes) aren't
members of your organization, but your customers where you might provide a
Software-as-a-Service (SaaS) application using Azure Virtual Desktop.

７ Note

Take care not to confuse external users with external identities. Azure Virtual
Desktop doesn't support external identities, including external guest accounts or
business-to-business (B2B) identities. Whether you're serving internal commercial
purposes or external users with Azure Virtual Desktop, you'll need to create and
manage identities for those users yourself. For more information, see
Recommendations for deploying Azure Virtual Desktop for internal or external
commercial purposes.

Licensing Azure Virtual Desktop works differently for internal and external commercial
purposes. Consider the following examples:

A manufacturing company called Fabrikam, Inc. might use Azure Virtual Desktop to
provide Fabrikam's employees (internal users) with access to virtual workstations
and line-of-business apps. Because Fabrikam is serving internal users, Fabrikam
must purchase one of the eligible licenses listed in Azure Virtual Desktop pricing
for each of their employees that access Azure Virtual Desktop.

A retail company called Wingtip Toys might use Azure Virtual Desktop to provide
an external contractor company (external users) with access to line-of-business
 apps. Because these external users are serving internal purposes, Wingtip Toys
must purchase one of the eligible licenses listed in Azure Virtual Desktop pricing
for each of their contractors that access Azure Virtual Desktop. Per-user access
pricing isn't applicable in this scenario.

A software vendor called Contoso might use Azure Virtual Desktop to sell remote
access of Contoso's productivity app to Contoso's customers (external users).
Because Contoso is serving external users for external commercial purposes,
Contoso must enroll in Azure Virtual Desktop's per-user access pricing. This
enables Contoso to pay for Azure Virtual Desktop access rights on behalf of those
external users who connect to Contoso's deployment. The users don't need a
separate license like Microsoft 365 to access Azure Virtual Desktop. Contoso still
needs to create and manage identities for those external users.

） Important

Per-user access pricing can only be used for external commercial purposes, not
internal purposes. Per-user access pricing isn't a way to enable external guest user
accounts with Azure Virtual Desktop. Check if your Azure Virtual Desktop solution is
is applicable for per-user access pricing by reviewing our licensing
documentation .

Eligible licenses to use Azure Virtual Desktop

You must provide an eligible license for each user that accesses Azure Virtual Desktop.
The license you need also depends on whether you're using a Windows client operating
system or a Windows Server operating system for your session hosts, and whether it's
for internal or external commercial purposes. The following table shows the eligible
licensing methods for each scenario:

ﾉ Expand table

Operating system Licensing method Licensing method

(64-bit only) (Internal commercial (External commercial
purposes) purposes)

Windows 11 Enterprise
multi-session
Windows 11 Enterprise
Windows 10 Enterprise
multi-session
Windows 10 Enterprise
Microsoft 365 E3, E5, A3, Per-user access pricing
A5, F3, Business by enrolling an Azure
Premium, Student Use subscription.
Benefit
Windows Enterprise E3,
E5
 Operating system Licensing
Windows
method
Education A3, Licensing method
(64-bit only) (Internal
A5 commercial (External commercial
purposes)
Windows VDA per user purposes)

Windows Server 2022 Remote Desktop Windows Server 2022

Windows Server 2019
Windows Server 2016
Services (RDS) Client RDS Subscriber Access
Access License (CAL) License (SAL).
with Software Assurance
(per-user or per-device)
RDS User Subscription Per-user access pricing isn't
Licenses. available for Windows Server
operating systems.

Per-user access pricing for external commercial purposes

to use Azure Virtual Desktop
Per-user access pricing lets you pay for Azure Virtual Desktop access rights for external
commercial purposes. You must enroll in per-user access pricing to build a compliant
deployment for external users.

You pay for per-user access pricing through your enrolled Azure subscription or
subscriptions on top of your charges for virtual machines, storage, and other Azure
services. Each billing cycle, you only pay for users who actually used the service. Only
users that connect at least once in that month to Azure Virtual Desktop incur an access
charge.

There are two price tiers for Azure Virtual Desktop per-user access pricing. Charges are
determined automatically each billing cycle based on the type of application groups a
user connected to. Each price tier has flat per-user access charges. For example, a user
incurs the same charge to your subscription no matter when or how many hours they
used the service during that billing cycle. If a user doesn't access a RemoteApp or
desktop, then there's no charge.

ﾉ Expand table

Price tier Description

Apps A flat price is charged for each user who accesses at least one published
RemoteApp, but doesn't access a published full desktop.

Desktops + A flat price is charged for each user who accesses at least one published full
apps desktop. The user can also access published applications.

For more information about prices, see Azure Virtual Desktop pricing .
 ） Important

Azure Virtual Desktop will also charge users with separate assigned licenses that
otherwise entitle them to Azure Virtual Desktop access. If you have internal users
you're purchasing eligible licenses for, we recommend you give them access to
Azure Virtual Desktop through a separate subscription that isn't enrolled in per-
user access pricing to avoid effectively paying twice for those users.

Azure Virtual Desktop issues at most one access charge for a given user in a given
billing period. For example, if you grant the user Alice access to Azure Virtual Desktop
resources across two different Azure subscriptions in the same tenant, only the first
subscription accessed by Alice incurs a usage charge.

To learn how to enroll an Azure subscription for per-user access pricing, see Enroll in
per-user access pricing.

Licensing other products and services for use with Azure

Virtual Desktop
The Azure Virtual Desktop per-user access license isn't a full replacement for a Windows
or Microsoft 365 license. Per-user licenses only grant access rights to Azure Virtual
Desktop and don't include Microsoft Office, Microsoft Defender XDR, or Universal Print.
This means that if you choose a per-user license, you need to separately license other
products and services to grant your users access to them in your Azure Virtual Desktop
environment.

There are a few ways to enable your external users to access Office:

Users can sign in to Office with their own Office account.

You can resell Office through your Cloud Service Provider (CSP).
You can distribute Office by using a Service Provider Licensing Agreement (SPLA).

Comparing licensing options

Here's a summary of the two types of licenses for Azure Virtual Desktop you can choose
from:

ﾉ Expand table
 Component Eligible Windows, Microsoft 365, or Per-user access pricing
RDS license

Access rights Internal purposes only. It doesn't grant External commercial purposes only. It
permission for external commercial doesn't grant access to members of
purposes, not even identities you create your own organization or contractors
in your own Microsoft Entra tenant. for internal business purposes.

Billing Licensing channels. Pay-as-you-go through an Azure

meter, billed to an Azure subscription.

User Fixed cost per user each month Cost per user each month depends on
behavior regardless of user behavior. user behavior.

Other Dependent on the license. Only includes access rights to Azure

products Virtual Desktop and FSlogix.

Next steps
Now that you're familiar with your licensing pricing options, you can start planning your
Azure Virtual Desktop environment. Here are some articles that might help you:

Enroll in per-user access pricing

Understand and estimate costs for Azure Virtual Desktop
Supported identities and authentication
methods
Article • 07/16/2024

In this article, we'll give you a brief overview of what kinds of identities and
authentication methods you can use in Azure Virtual Desktop.

Identities
Azure Virtual Desktop supports different types of identities depending on which
configuration you choose. This section explains which identities you can use for each
configuration.

） Important

Azure Virtual Desktop doesn't support signing in to Microsoft Entra ID with one
user account, then signing in to Windows with a separate user account. Signing in
with two different accounts at the same time can lead to users reconnecting to the
wrong session host, incorrect or missing information in the Azure portal, and error
messages appearing while using app attach or MSIX app attach.

On-premises identity
Since users must be discoverable through Microsoft Entra ID to access the Azure Virtual
Desktop, user identities that exist only in Active Directory Domain Services (AD DS)
aren't supported. This includes standalone Active Directory deployments with Active
Directory Federation Services (AD FS).

Hybrid identity
Azure Virtual Desktop supports hybrid identities through Microsoft Entra ID, including
those federated using AD FS. You can manage these user identities in AD DS and sync
them to Microsoft Entra ID using Microsoft Entra Connect. You can also use Microsoft
Entra ID to manage these identities and sync them to Microsoft Entra Domain Services.

When accessing Azure Virtual Desktop using hybrid identities, sometimes the User
Principal Name (UPN) or Security Identifier (SID) for the user in Active Directory (AD) and
Microsoft Entra ID don't match. For example, the AD account [email protected] may
correspond to [email protected] in Microsoft Entra ID. Azure Virtual Desktop only
supports this type of configuration if either the UPN or SID for both your AD and
Microsoft Entra ID accounts match. SID refers to the user object property "ObjectSID" in
AD and "OnPremisesSecurityIdentifier" in Microsoft Entra ID.

Cloud-only identity
Azure Virtual Desktop supports cloud-only identities when using Microsoft Entra joined
VMs. These users are created and managed directly in Microsoft Entra ID.

７ Note

You can also assign hybrid identities to Azure Virtual Desktop Application groups
that host Session hosts of join type Microsoft Entra joined.

Federated identity
If you're using a third-party Identity Provider (IdP), other than Microsoft Entra ID or
Active Directory Domain Services, to manage your user accounts, you must ensure that:

Your IdP is federated with Microsoft Entra ID.

Your session hosts are Microsoft Entra joined or Microsoft Entra hybrid joined.
You enable Microsoft Entra authentication to the session host.

External identity
Azure Virtual Desktop currently doesn't support external identities.

Authentication methods
When accessing Azure Virtual Desktop resources, there are three separate
authentication phases:

Cloud service authentication: Authenticating to the Azure Virtual Desktop service,

which includes subscribing to resources and authenticating to the Gateway, is with
Microsoft Entra ID.
Remote session authentication: Authenticating to the remote VM. There are
multiple ways to authenticate to the remote session, including the recommended
single sign-on (SSO).
 In-session authentication: Authenticating to applications and web sites within the
remote session.

For the list of credential available on the different clients for each of the authentication
phase, compare the clients across platforms.

） Important

In order for authentication to work properly, your local machine must also be able
to access the required URLs for Remote Desktop clients.

The following sections provide more information on these authentication phases.

Cloud service authentication

To access Azure Virtual Desktop resources, you must first authenticate to the service by
signing in with a Microsoft Entra ID account. Authentication happens whenever you
subscribe to retrieve your resources, connect to the gateway when launching a
connection or when sending diagnostic information to the service. The Microsoft Entra
ID resource used for this authentication is Azure Virtual Desktop (app ID 9cdead84-
a844-4324-93f2-b2e6bb768d07).

Multifactor authentication

Follow the instructions in Enforce Microsoft Entra multifactor authentication for Azure
Virtual Desktop using Conditional Access to learn how to enforce Microsoft Entra
multifactor authentication for your deployment. That article will also tell you how to
configure how often your users are prompted to enter their credentials. When deploying
Microsoft Entra joined VMs, note the extra steps for Microsoft Entra joined session host
VMs.

Passwordless authentication

You can use any authentication type supported by Microsoft Entra ID, such as Windows
Hello for Business and other passwordless authentication options (for example, FIDO
keys), to authenticate to the service.

Smart card authentication

To use a smart card to authenticate to Microsoft Entra ID, you must first configure
Microsoft Entra certificate-based authentication or configure AD FS for user certificate
authentication.

Third-party identity providers

You can use third-party identity providers as long as they federate with Microsoft Entra
ID.

Remote session authentication

If you haven't already enabled single sign-on or saved your credentials locally, you'll also
need to authenticate to the session host when launching a connection.

Single sign-on (SSO)

SSO allows the connection to skip the session host credential prompt and automatically
sign the user in to Windows through Microsoft Entra authentication. For session hosts
that are Microsoft Entra joined or Microsoft Entra hybrid joined, it's recommended to
enable SSO using Microsoft Entra authentication. Microsoft Entra authentication
provides other benefits including passwordless authentication and support for third-
party identity providers.

Azure Virtual Desktop also supports SSO using Active Directory Federation Services (AD
FS) for the Windows Desktop and web clients.

Without SSO, the client prompts users for their session host credentials for every
connection. The only way to avoid being prompted is to save the credentials in the
client. We recommend you only save credentials on secure devices to prevent other
users from accessing your resources.

Smart card and Windows Hello for Business

Azure Virtual Desktop supports both NT LAN Manager (NTLM) and Kerberos for session
host authentication, however Smart card and Windows Hello for Business can only use
Kerberos to sign in. To use Kerberos, the client needs to get Kerberos security tickets
from a Key Distribution Center (KDC) service running on a domain controller. To get
tickets, the client needs a direct networking line-of-sight to the domain controller. You
can get a line-of-sight by connecting directly within your corporate network, using a
VPN connection or setting up a KDC Proxy server.
In-session authentication
Once you're connected to your RemoteApp or desktop, you may be prompted for
authentication inside the session. This section explains how to use credentials other than
username and password in this scenario.

In-session passwordless authentication

Azure Virtual Desktop supports in-session passwordless authentication using Windows
Hello for Business or security devices like FIDO keys when using the Windows Desktop
client. Passwordless authentication is enabled automatically when the session host and
local PC are using the following operating systems:

Windows 11 single or multi-session with the 2022-10 Cumulative Updates for

Windows 11 (KB5018418) or later installed.
Windows 10 single or multi-session, versions 20H2 or later with the 2022-10
Cumulative Updates for Windows 10 (KB5018410) or later installed.
Windows Server 2022 with the 2022-10 Cumulative Update for Microsoft server
operating system (KB5018421) or later installed.

To disable passwordless authentication on your host pool, you must customize an RDP
property. You can find the WebAuthn redirection property under the Device redirection
tab in the Azure portal or set the redirectwebauthn property to 0 using PowerShell.

When enabled, all WebAuthn requests in the session are redirected to the local PC. You
can use Windows Hello for Business or locally attached security devices to complete the
authentication process.

To access Microsoft Entra resources with Windows Hello for Business or security devices,
you must enable the FIDO2 Security Key as an authentication method for your users. To
enable this method, follow the steps in Enable FIDO2 security key method.

In-session smart card authentication

To use a smart card in your session, make sure you've installed the smart card drivers on
the session host and enabled smart card redirection. Review the client comparison chart
to make sure your client supports smart card redirection.

Next steps
Curious about other ways to keep your deployment secure? Check out Security
best practices.
 Having issues connecting to Microsoft Entra joined VMs? Look at Troubleshoot
connections to Microsoft Entra joined VMs.
Having issues with in-session passwordless authentication? See Troubleshoot
WebAuthn redirection.
Want to use smart cards from outside your corporate network? Review how to set
up a KDC Proxy server.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Session host virtual machine sizing
guidelines
Article • 07/03/2024

Whether you're running your session host virtual machines (VM) on Remote Desktop
Services or Azure Virtual Desktop, different types of workloads require different VM
configurations. The examples in this article are generic guidelines, and you should only
use them for initial performance estimates. For the best possible experience, scale your
deployment depending on your users' needs.

Workloads
Users can run different types of workloads on the session host virtual machines. The
following table shows examples of a range of workload types to help you estimate what
size your virtual machines need to be. After you set up your virtual machines, you should
continually monitor their actual usage and adjust their size accordingly. If you end up
needing a bigger or smaller virtual machine, you can easily scale your existing
deployment up or down in Azure.

The following table describes each workload. Example users are the types of users that
might find each workload most helpful. Example apps are the kinds of apps that work
best for each workload.

ﾉ Expand table

Workload type Example users Example apps

Light Users doing basic data entry Database entry applications, command-line
tasks interfaces

Medium Consultants and Database entry applications, command-line

market researchers interfaces, Microsoft Word, static web pages

Heavy Software engineers, Database entry applications, command-line

content creators interfaces, Microsoft Word, static web
pages, Microsoft Outlook,
Microsoft PowerPoint, dynamic web pages,
software development

Power Graphic designers, Database entry applications, command-line

3D model makers, interfaces, Microsoft Word, static web
machine learning researchers pages, Microsoft Outlook,
Microsoft PowerPoint, dynamic web pages,
 Workload type Example users Example apps

photo and video editing, computer-aided

design (CAD), computer-aided
manufacturing (CAM)

Single-session recommendations
Single-session scenarios are when there's only one user signed in to a session host VM at
any one time. For example, if you use personal host pools in Azure Virtual Desktop,
you're using a single-session scenario. For VM sizing recommendations for single-
session scenarios, we recommend you use at least two physical CPU cores per VM,
typically four vCPUs with hyper-threading. If you need more specific VM sizing
recommendations for single-session scenarios, ask the software vendors specific to your
workload. VM sizing for single-session VMs usually align with physical device guidelines.

The following table shows examples of typical workloads:

ﾉ Expand table

Workload vCPU/RAM/OS storage Example Azure Profile container storage

type minimum instances minimum

Light 2 vCPUs, 8-GB RAM, 32-GB D2s_v5, D2s_v4 30 GB

storage

Medium 4 vCPUs, 16-GB RAM, 32-GB D4s_v5, D4s_v4 30 GB

storage

Heavy 8 vCPUs, 32-GB RAM, 32-GB D8s_v5, D8s_v4 30 GB

storage

Multi-session recommendations
Multi-session scenarios are when there's more than one user signed in to a session host
virtual machine at any one time. For example, when you use pooled host pools in Azure
Virtual Desktop with the Windows 11 Enterprise multi-session operating system (OS),
that's a multi-session deployment.

The following table lists the maximum suggested number of users per virtual central
processing unit (vCPU) and the minimum VM configuration for standard or larger user
workload. If you need more specific VM sizing recommendations for single-session
scenarios, ask the software vendors specific to your workload.
 ﾉ Expand table

Workload Maximum Minimum Example Azure Minimum

type users per vCPU/RAM/OS instances profile
vCPU storage storage

Light 6 8 vCPUs, 16-GB D8s_v5, D8s_v4, F8s_v2, 30 GB

RAM, 32-GB storage D8as_v4, D16s_v5,
D16s_v4, F16s_v2,
D16as_v4

Medium 4 8 vCPUs, 16-GB D8s_v5, D8s_v4, F8s_v2, 30 GB

RAM, 32-GB storage D8as_v4, D16s_v5,
D16s_v4, F16s_v2,
D16as_v4

Heavy 2 8 vCPUs, 16-GB D8s_v5, D8s_v4, F8s_v2, 30 GB

RAM, 32-GB storage D8as_v4, D16s_v5,
D16s_v4, F16s_v2,
D16as_v4

Power 1 6 vCPUs, 56-GB D16ds_v5, D16s_v4, 30 GB

RAM, 340-GB D16as_v4, NV6,
storage NV16as_v4

For multi-session workloads, you should limit VM size to between 4 vCPUs and 24
vCPUs for the following reasons:

All VMs should have more than two cores. The UI components in Windows rely on
the use of at least two parallel threads for some of the heavier rendering
operations. For multi-session scenarios, having multiple users on a two-core VM
leads to the UI and apps becoming unstable, which lowers the quality of user
experience. Four cores are the lowest recommended number of cores that a stable
multi-session VM should have.

VMs shouldn't have more than 32 cores. As the number of cores increase, the
system's synchronization overhead also increases. For most workloads, at around
16 cores, the return on investment gets lower, with most of the extra capacity
offset by synchronization overhead. User experience is better with two 16-core
VMs instead of one 32-core one.

The recommended range between 4 and 24 cores generally provides better capacity
returns for your users as you increase the number of cores. For example, if you have 12
users sign in at the same time to a VM with four cores, the ratio is three users per core.
Meanwhile, on a VM with 8 cores and 14 users, the ratio is 1.75 users per core. In this
scenario, the latter configuration with a ratio of 1.75 offers greater burst capacity for
your applications that have short-term CPU demand.

This recommendation is true at a larger scale. For scenarios with 20 or more users
connected to a single VM, several smaller VMs would perform better than one or two
large VMs. For example, if you're expecting 30 or more users to sign in within 10
minutes of each other on the same session host with 16 cores, two 8-core VMs would
handle the workload better. You can also use breadth-first load balancing to evenly
distribute users across different VMs instead of depth-first load balancing, where you
can only use a new session host after the existing one is full of users.

It's also better to use a large number of smaller VMs instead of a few large VMs. It's
easier to shut down VMs that need to be updated or aren't currently in use. With larger
VMs, you're more likely to have at least one user signed in at any time, which prevents
you from shutting down the VM. When you have many smaller VMs, it's more likely you
have some VMs without active users. You can safely shut down these unused VMs to
conserve resources, either manually or automatically by using autoscale in Azure Virtual
Desktop. Conserving resources makes your deployment more resilient, easier to
maintain, and less expensive.

General virtual machine recommendations

In order to run your chosen OS in Azure, you must use a Premium SSD storage for
production workloads that require a service level agreement (SLA). For more
information, see the Service Level Agreements (SLA) for Online Services .

Graphics processing units (GPUs) are a good choice for users who regularly use
graphics-intensive programs for video rendering, 3D design, and simulations. Azure has
several graphics acceleration deployment options and multiple available GPU VM sizes.
Learn more at GPU optimized virtual machine sizes. For more general information about
graphics acceleration in Remote Desktop Services, see Remote Desktop Services - GPU
acceleration

B-series burstable VMs in Azure are a good choice for users who don't always need
maximum CPU performance. For more information, see Sizes for Windows virtual
machines in Azure and the pricing information on the Virtual Machine series .

Test your workload

Finally, you should use simulation tools to test your deployment with both stress tests
and real-life usage simulations. Make sure your system is responsive and resilient
enough to meet user needs, and remember to vary the load size to avoid surprises.

Feedback
Was this page helpful?  Yes  No
Understanding Azure Virtual Desktop
network connectivity
Article • 06/24/2024

Azure Virtual Desktop hosts client sessions on session hosts running on Azure. Microsoft
manages portions of the services on the customer's behalf and provides secure
endpoints for connecting clients and session hosts. The following diagram gives a high-
level overview of the network connections used by Azure Virtual Desktop.

Azure Virtual Desktop Network Connections

Active Directory connectivity

Reverse Connect Transport (TCP
443)

Feed subscription (TCP 443)

Client Session Host
Azure AD Authentication (TCP 443)

RD Agent communication (TCP 443)

RD Agent communication

RDP data (TLS)

Reverse Connect Transport

Azure AD Authentication

Active Directory
Reverse Connect Transport
Feed subscription

Internal service traffic

Domain Services
(TCP 443)
(TCP 443)
(TCP 443)

Azure AD Connect Sync (TCP 443)

RDP Data (TLS)
(TCP 443)

Local Active Directory connectivity

TCP 443

(various)

RD Web

Public Internet
Azure AD Connect sync
TCP 443

RD Gateway RD Broker

Azure Virtual Desktop

Infrastructure

Azure Active Directory 

Session connectivity
Azure Virtual Desktop uses Remote Desktop Protocol (RDP) to provide remote display
and input capabilities over network connections. RDP was initially released with
Windows NT 4.0 Terminal Server Edition and was continuously evolving with every
Microsoft Windows and Windows Server release. From the beginning, RDP developed to
be independent of its underlying transport stack, and today it supports multiple types of
transport.
Reverse connect transport
Azure Virtual Desktop is using reverse connect transport for establishing the remote
session and for carrying RDP traffic. Unlike the on-premises Remote Desktop Services
deployments, reverse connect transport doesn't use a TCP listener to receive incoming
RDP connections. Instead, it's using outbound connectivity to the Azure Virtual Desktop
infrastructure over the HTTPS connection.

Session host communication channel

Upon startup of the Azure Virtual Desktop session host, the Remote Desktop Agent
Loader service establishes the Azure Virtual Desktop broker's persistent communication
channel. This communication channel is layered on top of a secure Transport Layer
Security (TLS) connection and serves as a bus for service message exchange between
session host and Azure Virtual Desktop infrastructure.

Client connection sequence

The client connection sequence is as follows:

1. Using supported Azure Virtual Desktop client user subscribes to the Azure Virtual
Desktop Workspace.

2. Microsoft Entra authenticates the user and returns the token used to enumerate
resources available to a user.

3. Client passes token to the Azure Virtual Desktop feed subscription service.

4. Azure Virtual Desktop feed subscription service validates the token.

5. Azure Virtual Desktop feed subscription service passes the list of available
desktops and applications back to the client in the form of digitally signed
connection configuration.

6. Client stores the connection configuration for each available resource in a set of
.rdp files.

7. When a user selects the resource to connect, the client uses the associated .rdp
file and establishes a secure TLS 1.2 connection to an Azure Virtual Desktop
gateway instance with the help of Azure Front Door and passes the connection
information. The latency from all gateways is evaluated, and the gateways are put
 into groups of 10 ms. The gateway with the lowest latency and then lowest
number of existing connections is chosen.

8. Azure Virtual Desktop gateway validates the request and asks the Azure Virtual
Desktop broker to orchestrate the connection.

9. Azure Virtual Desktop broker identifies the session host and uses the previously
established persistent communication channel to initialize the connection.

10. Remote Desktop stack initiates a TLS 1.2 connection to the same Azure Virtual
Desktop gateway instance as used by the client.

11. After both client and session host connected to the gateway, the gateway starts
relaying the data between both endpoints. This connection establishes the base
reverse connect transport for the RDP connection through a nested tunnel, using
the mutually agreed TLS version supported and enabled between the client and
session host, up to TLS 1.3.

12. After the base transport is set, the client starts the RDP handshake.

Connection security
TLS is used for all connections. The version used depends on which connection is made
and the capabilities of the client and session host:

For all connections initiated from the clients and session hosts to the Azure Virtual
Desktop infrastructure components, TLS 1.2 is used. Azure Virtual Desktop uses the
same TLS 1.2 ciphers as Azure Front Door. It's important to make sure both client
computers and session hosts can use these ciphers.

For the reverse connect transport, both the client and session host connect to the
Azure Virtual Desktop gateway. After the TCP connection for the base transport is
established, the client or session host validates the Azure Virtual Desktop
gateway's certificate. RDP then establishes a nested TLS connection between client
and session host using the session host's certificates. The version of TLS uses the
mutually agreed TLS version supported and enabled between the client and
session host, up to TLS 1.3. TLS 1.3 is supported starting in Windows 11 (21H2) and
in Windows Server 2022. To learn more, see Windows 11 TLS support. For other
operating systems, check with the operating system vendor for TLS 1.3 support.

By default, the certificate used for RDP encryption is self-generated by the OS during
the deployment. You can also deploy centrally managed certificates issued by the
enterprise certification authority. For more information about configuring certificates,
see Remote Desktop listener certificate configurations.

Next steps
To learn about bandwidth requirements for Azure Virtual Desktop, see
Understanding Remote Desktop Protocol (RDP) Bandwidth Requirements for Azure
Virtual Desktop.
To get started with Quality of Service (QoS) for Azure Virtual Desktop, see
Implement Quality of Service (QoS) for Azure Virtual Desktop.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Remote Desktop Protocol (RDP)
bandwidth requirements
Article • 05/25/2022

Remote Desktop Protocol (RDP) is a sophisticated technology that uses various

techniques to perfect the server's remote graphics' delivery to the client device.
Depending on the use case, availability of computing resources, and network
bandwidth, RDP dynamically adjusts various parameters to deliver the best user
experience.

Remote Desktop Protocol multiplexes multiple Dynamic Virtual Channels (DVCs) into a
single data channel sent over different network transports. There are separate DVCs for
remote graphics, input, device redirection, printing, and more. Azure Virtual Desktop
partners can also use their extensions that use DVC interfaces.

The amount of the data sent over RDP depends on the user activity. For example, a user
may work with basic textual content for most of the session and consume minimal
bandwidth, but then generate a printout of a 200-page document to the local printer.
This print job will use a significant amount of network bandwidth.

When using a remote session, your network's available bandwidth dramatically impacts
the quality of your experience. Different applications and display resolutions require
different network configurations, so it's essential to make sure your network
configuration meets your needs.

Estimating bandwidth utilization

RDP uses various compression algorithms for different types of data. The table below
guides estimating of the data transfers:

Type of Direction How to estimate

Data

Remote Session host See the detailed guidelines

Graphics to client

Heartbeats Both ~ 20 bytes every 5 seconds

directions

Input Client to Amount of data is based on the user activity, less than 100 bytes for
session Host most of the operations
 Type of Direction How to estimate
Data

File Both File transfers are using bulk compression. Use .zip compression for
transfers directions approximation

Printing Session host Print job transfer depends on the driver and using bulk compression,
to client use .zip compression for approximation

Other scenarios can have their bandwidth requirements change depending on how you
use them, such as:

Voice or video conferencing

Real-time communication
Streaming 4K video

Estimating bandwidth used by remote graphics

It's tough to predict bandwidth use by the remote desktop. The user activities generate
most of the remote desktop traffic. Every user is unique, and differences in their work
patterns may significantly change network use.

The best way to understand bandwidth requirements is to monitor real user

connections. Monitoring can be performed by the built-in performance counters or by
the network equipment.

However, in many cases, you may estimate network utilization by understanding how
Remote Desktop Protocol works and by analyzing your users' work patterns.

The remote protocol delivers the graphics generated by the remote server to display it
on a local monitor. More specifically, it provides the desktop bitmap entirely composed
on the server. While sending a desktop bitmap seems like a simple task at first
approach, it requires a significant amount of resources. For example, a 1080p desktop
image in its uncompressed form is about 8Mb in size. Displaying this image on the
locally connected monitor with a modest screen refresh rate of 30 Hz requires
bandwidth of about 237 MB/s.

To reduce the amount of data transferred over the network, RDP uses the combination
of multiple techniques, including but not limited to

Frame rate optimizations

Screen content classification
Content-specific codecs
Progressive image encoding
 Client-side caching

To better understand remote graphics, consider the following:

The richer the graphics, more bandwidth it will take

Text, window UI elements, and solid color areas are consuming less bandwidth
than anything else.
Natural images are the most significant contributors to bandwidth use. But
client-side caching helps with its reduction.
Only changed parts of the screen are transmitted. If there are no visible updates on
the screen, no updates are sent.
Video playback and other high-frame-rate content are essentially an image
slideshow. RDP dynamically uses appropriate video codecs to deliver them with the
close to original frame rate. However, it's still graphics, and it's still the most
significant contributor to bandwidth utilization.
Idle time in remote desktop means no or minimal screen updates; so, network use
is minimal during idle times.
When remote desktop client window is minimized, no graphical updates are sent
from the session host.

Keep in mind that the stress put on your network depends on both your app workload's
output frame rate and your display resolution. If either the frame rate or display
resolution increases, the bandwidth requirement will also rise. For example, a light
workload with a high-resolution display requires more available bandwidth than a light
workload with regular or low resolution. Different display resolutions require different
available bandwidths.

The table below guides estimating of the data used by the different graphic scenarios.
These numbers apply to a single monitor configuration with 1920x1080 resolution and
with both default graphics mode and H.264/AVC 444 graphics mode.

Scenario Default H.264/AVC Thumbnail Description of the scenario

mode 444 mode

Idle 0.3 0.3 Kbps User is paused their work and there's no
Kbps active screen updates

Microsoft 100- 200-300 User is actively working with Microsoft

Word 150 Kbps Word, typing, pasting graphics and
Kbps switching between documents

Microsoft 150- 400-500 User is actively working with Microsoft

Excel 200 Kbps Excel, multiple cells with formulas and
Kbps charts are updated simultaneously
 Scenario Default H.264/AVC Thumbnail Description of the scenario
mode 444 mode

Microsoft 4-4.5 1.6-1.8 User is actively working with Microsoft

PowerPoint Mbps Mbps PowerPoint, typing, pasting. User also
modifying rich graphics, and using slide
transition effects

Web 6-6.5 0.9-1 Mbps User is actively working with a graphically

Browsing Mbps rich website that contains multiple static
and animated images. User scrolls the
pages both horizontally and vertically

Image 3.3-3.6 0.7-0.8 User is actively working with the image

Gallery Mbps Mbps gallery application. browsing, zooming,
resizing and rotating images

Video 8.5-9.5 2.5-2.8 User is watching a 30 FPS video that

playback Mbps Mbps consumes 1/2 of the screen

Fullscreen 7.5-8.5 2.5-3.1 User is watching a 30 FPS video that

Video Mbps Mbps maximized to a fullscreen
playback

Dynamic bandwidth allocation

Remote Desktop Protocol is a modern protocol designed to adjust to the changing
network conditions dynamically. Instead of using the hard limits on bandwidth
utilization, RDP uses continuous network detection that actively monitors available
network bandwidth and packet round-trip time. Based on the findings, RDP dynamically
selects the graphic encoding options and allocates bandwidth for device redirection and
other virtual channels.
This technology allows RDP to use the full network pipe when available and rapidly back
off when the network is needed for something else. RDP detects that and adjusts image
quality, frame rate, or compression algorithms if other applications request the network.

Limit network bandwidth use with throttle rate

In most scenarios, there's no need to limit bandwidth utilization as limiting may affect
user experience. Yet in the constrained networks you may want to limit network
utilization. Another example is leased networks that are charged for the amount of
traffic used.
In such cases, you could limit an RDP outbound network traffic by specifying a throttle
rate in QoS Policy.

７ Note

Make sure that RDP Shortpath for managed networks is enabled - throttle rate-
limiting are not supported for reverse connect transport.

Implement throttle rate limiting on session host using

Group Policy
You can use policy-based Quality of Service (QoS) within Group Policy to set the
predefined throttle rate.

To create a QoS policy for domain-joined session hosts, first, sign in to a computer on
which Group Policy Management has been installed. Open Group Policy Management
(select Start, point to Administrative Tools, and then select Group Policy Management),
and then complete the following steps:

1. In Group Policy Management, locate the container where the new policy should be
created. For example, if all your session hosts computers are located in an OU
named Session Hosts, the new policy should be created in the Session Hosts OU.

2. Right-click the appropriate container, and then select Create a GPO in this
domain, and Link it here.

3. In the New GPO dialog box, type a name for the new Group Policy object in the
Name box, and then select OK.

4. Right-click the newly created policy, and then select Edit.

5. In the Group Policy Management Editor, expand Computer Configuration, expand

Windows Settings, right-click Policy-based QoS, and then select Create new
policy.

6. In the Policy-based QoS dialog box, on the opening page, type a name for the
new policy in the Name box. Select Specify Outbound Throttle Rate and set the
required value, and then select Next.

7. On the next page, select Only applications with this executable name and enter
the name svchost.exe, and then select Next. This setting instructs the policy to
only prioritize matching traffic from the Remote Desktop Service.
 8. On the third page, make sure that both Any source IP address and Any
destination IP address are selected. Select Next. These two settings ensure that
packets will be managed regardless of which computer (IP address) sent the
packets and which computer (IP address) will receive the packets.

9. On page four, select UDP from the Select the protocol this QoS policy applies to
drop-down list.

10. Under the heading Specify the source port number, select From this source port
or range. In the accompanying text box, type 3390. Select Finish.

The new policies you've created won't take effect until Group Policy has been refreshed
on your session host computers. Although Group Policy periodically refreshes on its
own, you can force an immediate refresh by following these steps:

1. On each session host for which you want to refresh Group Policy, open a
Command Prompt as administrator (Run as administrator).

2. At the command prompt, enter

Console

gpupdate /force

Implement throttle rate limiting on session host using

PowerShell
You can set throttle rate for RDP Shortpath for managed networks using the PowerShell
cmdlet below:

PowerShell

New-NetQosPolicy -Name "RDP Shortpath for managed networks" -

AppPathNameMatchCondition "svchost.exe" -IPProtocolMatchCondition UDP -
IPSrcPortStartMatchCondition 3390 -IPSrcPortEndMatchCondition 3390 -
ThrottleRateActionBitsPerSecond 10mb -NetworkProfile All

Next steps
To learn about bandwidth requirements for Azure Virtual Desktop, see
Understanding Remote Desktop Protocol (RDP) Bandwidth Requirements for Azure
Virtual Desktop.
To learn about Azure Virtual Desktop network connectivity, see Understanding
Azure Virtual Desktop network connectivity.
To get started with Quality of Service (QoS) for Azure Virtual Desktop, see
Implement Quality of Service (QoS) for Azure Virtual Desktop.
Azure Virtual Desktop on Azure Local
Article • 11/19/2024

） Important

Azure Virtual Desktop on Azure Local for Azure Government and Azure
operated by 21Vianet (Azure in China) is currently in preview with HCI version
22H2. Portal provisioning isn't available.
See the Supplemental Terms of Use for Microsoft Azure Previews for legal
terms that apply to Azure features that are in beta, preview, or otherwise not
yet released into general availability.

Using Azure Virtual Desktop on Azure Local, you can deploy session hosts for Azure
Virtual Desktop where you need them. If you already have an existing on-premises
virtual desktop infrastructure (VDI) deployment, Azure Virtual Desktop on Azure Local
can improve your experience. If you're already using Azure Virtual Desktop with your
session hosts in Azure, you can extend your deployment to your on-premises
infrastructure to better meet your performance or data locality needs.

Azure Virtual Desktop service components, such as host pools, workspaces, and
application groups are all deployed in Azure, but you can choose to deploy session
hosts on Azure Local. As Azure Virtual Desktop on Azure Local isn't an Azure Arc-
enabled service, it's not supported as a standalone service outside of Azure, in a
multicloud environment, or on other Azure Arc-enabled servers.

Benefits
Using Azure Virtual Desktop on , you can:

Improve performance for Azure Virtual Desktop users in areas with poor
connectivity to the Azure public cloud by giving them session hosts closer to their
location.

Meet data locality requirements by keeping app and user data on-premises. For
more information, see Data locations for Azure Virtual Desktop.

Improve access to legacy on-premises apps and data sources by keeping desktops
and apps in the same location.
 Reduce cost and improve user experience with Windows 10 and Windows 11
Enterprise multi-session, which allows multiple concurrent interactive sessions.

Simplify your VDI deployment and management compared to traditional on-

premises VDI solutions by using the Azure portal.

Achieve the best performance by using RDP Shortpath for low-latency user access.

Deploy the latest fully patched images quickly and easily using Azure Marketplace
images.

Supported deployment configurations

Your Azure Local instances need to be running a minimum of version 23H2 and
registered with Azure.

Once your instance is ready, you can use the following 64-bit operating system images
for your session hosts that are in support:

Windows 11 Enterprise multi-session

Windows 11 Enterprise
Windows 10 Enterprise multi-session
Windows 10 Enterprise
Windows Server 2022
Windows Server 2019

To use session hosts on Azure Local with Azure Virtual Desktop, you also need to:

License and activate the virtual machines. For activating Windows 10 and Windows
11 Enterprise multi-session, and Windows Server 2022 Datacenter: Azure Edition,
use Azure verification for VMs. For all other OS images (such as Windows 10 and
Windows 11 Enterprise, and other editions of Windows Server), you should
continue to use existing activation methods. For more information, see Activate
Windows Server VMs on Azure Local.

Install the Azure Connected Machine agent on the virtual machines so they can
communicate with Azure Instance Metadata Service, which is a required endpoint
for Azure Virtual Desktop. The Azure Connected Machine agent is automatically
installed when you add session hosts using the Azure portal as part of the process
to Deploy Azure Virtual Desktop or Add session hosts to a host pool.

Finally, users can connect using the same Remote Desktop clients as Azure Virtual
Desktop.
Licensing and pricing
To run Azure Virtual Desktop on Azure Local, you need to make sure you're licensed
correctly and be aware of the pricing model. There are three components that affect
how much it costs to run Azure Virtual Desktop on Azure Local:

User access rights. The same licenses that grant access to Azure Virtual Desktop
on Azure also apply to Azure Virtual Desktop on Azure Local. Learn more at Azure
Virtual Desktop pricing .

Azure Local service fee. Learn more at Azure Local pricing .

Azure Virtual Desktop for Azure Local service fee. This fee requires you to pay for
each active virtual CPU (vCPU) for your Azure Virtual Desktop session hosts
running on Azure Local. Learn more at Azure Virtual Desktop pricing .

Data storage
There are different classifications of data for Azure Virtual Desktop, such as customer
input, customer data, diagnostic data, and service-generated data. With Azure Local, you
can choose to store user data on-premises when you deploy session host virtual
machines (VMs) and associated services such as file servers. However, some customer
data, diagnostic data, and service-generated data is still stored in Azure. For more
information on how Azure Virtual Desktop stores different kinds of data, see Data
locations for Azure Virtual Desktop.

Limitations
Azure Virtual Desktop on Azure Local has the following limitations:

Each host pool must only contain session hosts on Azure or on Azure Local. You
can't mix session hosts on Azure and on Azure Local in the same host pool.

Azure Local supports many types of hardware and on-premises networking

capabilities, so performance and user density might vary compared to session
hosts running on Azure. Azure Virtual Desktop's virtual machine sizing guidelines
are broad, so you should use them for initial performance estimates and monitor
after deployment.

You can only join session hosts on Azure Local to an Active Directory Domain
Services (AD DS) domain. This includes using Microsoft Entra hybrid join, where
you can benefit from some of the functionality provided by Microsoft Entra ID.
Next step
To learn how to deploy Azure Virtual Desktop on Azure Local, see Deploy Azure Virtual
Desktop.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Azure Virtual Desktop on Azure
Extended Zones
Article • 11/11/2024

Azure Extended Zones are small-footprint extensions of Azure placed in metros, industry
centers, or a specific jurisdiction to serve low latency and/or data residency workloads.
Azure Extended Zones is supported for Azure Virtual Desktop and can run latency-
sensitive and throughput-intensive applications close to end users and within approved
data residency boundaries. Azure Extended Zones are part of the Microsoft global
network that provides secure, reliable, high-bandwidth connectivity between
applications that run at an Azure Extended Zone close to the user.

How Azure Extended Zones works

When you deploy Azure Virtual Desktop with an Azure Extended Zone, only the session
host virtual machines are deployed in the Azure Extended Zone. All of the Azure Virtual
Desktop metadata objects you create, such as host post pools, workspaces, and
application groups remain in the main Azure region you select. The control plane
components, such as the web service, broker service, gateway service, diagnostics, and
extensibility components, are also only available in the main Azure regions. For more
information, see Azure Virtual Desktop service architecture and resilience.

Due to the proximity of the end user to the session host, you can benefit from reduced
latency using Azure Extended Zones. Azure Extended Zones uses RDP Shortpath, which
establishes a direct UDP-based transport between a supported Windows Remote
Desktop client and session host. The removal of extra relay points reduces round-trip
time, which improves connection reliability and user experience with latency-sensitive
applications and input methods.

Azure Private Link can also be used with Azure Extended Zones. Azure Private Link can
help with reducing latency and improving security. By creating a private endpoint, traffic
between your virtual network and the service remains on the Microsoft network, so you
no longer need to expose your service to the public internet.

Unlike Azure regions, Azure Extended Zones doesn't have any default outbound
connectivity. An existing Azure Load Balancer is needed on the virtual network that the
session hosts are being deployed to. You need to use one or more frontend IP addresses
of the load balancer for outbound connectivity to the internet in order for the session
hosts to join a host pool. For more information, see Azure's outbound connectivity
methods.
Gaining access to an Azure Extended Zone
To deploy Azure Virtual Desktop in Azure Extended Zone locations, you need to
explicitly register your subscription with the respective Azure Extended Zone using an
account that is a subscription owner. By default, this capability isn't enabled.
Registration of an Azure Extended Zone is always scoped to a specific subscription,
ensuring control and management over the resources deployed in these locations. Once
a subscription is registered with the Azure Extended Zone, you can deploy and manage
your desktops and applications within that specific Azure Extended Zone.

For more information, see Request access to an Azure Extended Zone.

Limitations
Azure Virtual Desktop on Azure Extended Zones has the following limitations:

With Azure Extended Zones, there's no default outbound internet access. The
default outbound route is being retired across all Azure regions in September
2025, so Azure Extended Zones begins without this default outbound internet
route. For more information, see Default outbound access for VMs in Azure will be
retired— transition to a new method of internet access.

Azure Extended Zones don't support NAT Gateways. You need to use an Azure
Load Balancer with outbound rules enabled for outbound connectivity.

There's a reduced set of supported virtual machine SKUs you can use as session
hosts. For more information, see Service offerings for Azure Extended Zones.

Next step
To learn how to deploy Azure Virtual Desktop in an Azure Extended Zone, see Deploy
Azure Virtual Desktop.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Security recommendations for Azure
Virtual Desktop
Article • 06/03/2024

Azure Virtual Desktop is a managed virtual desktop service that includes many security
capabilities for keeping your organization safe. The architecture of Azure Virtual Desktop
comprises many components that make up the service connecting users to their
desktops and apps.

Azure Virtual Desktop has many built-in advanced security features, such as Reverse
Connect where no inbound network ports are required to be open, which reduces the
risk involved with having remote desktops accessible from anywhere. The service also
benefits from many other security features of Azure, such as multifactor authentication
and conditional access. This article describes steps you can take as an administrator to
keep your Azure Virtual Desktop deployments secure, whether you provide desktops
and apps to users in your organization or to external users.

Shared security responsibilities

Before Azure Virtual Desktop, on-premises virtualization solutions like Remote Desktop
Services require granting users access to roles like Gateway, Broker, Web Access, and so
on. These roles had to be fully redundant and able to handle peak capacity.
Administrators would install these roles as part of the Windows Server operating system,
and they had to be domain-joined with specific ports accessible to public connections.
To keep deployments secure, administrators had to constantly make sure everything in
the infrastructure was maintained and up-to-date.

In most cloud services, however, there's a shared set of security responsibilities between
Microsoft and the customer or partner. For Azure Virtual Desktop, most components are
Microsoft-managed, but session hosts and some supporting services and components
are customer-managed or partner-managed. To learn more about the Microsoft-
managed components of Azure Virtual Desktop, see Azure Virtual Desktop service
architecture and resilience.

While some components come already secured for your environment, you'll need to
configure other areas yourself to fit your organization's or customer's security needs.
Here are the components of which you're responsible for the security in your Azure
Virtual Desktop deployment:
 ﾉ Expand table

Component Responsibility

Identity Customer or partner

User devices (mobile and PC) Customer or partner

App security Customer or partner

Session host operating system Customer or partner

Deployment configuration Customer or partner

Network controls Customer or partner

Virtualization control plane Microsoft

Physical hosts Microsoft

Physical network Microsoft

Physical datacenter Microsoft

Security boundaries
Security boundaries separate the code and data of security domains with different levels
of trust. For example, there's usually a security boundary between kernel mode and user
mode. Most Microsoft software and services depend on multiple security boundaries to
isolate devices on networks, virtual machines (VMs), and applications on devices. The
following table lists each security boundary for Windows and what they do for overall
security.

ﾉ Expand table

Security boundary Description

Network boundary An unauthorized network endpoint can't access or tamper with code and
data on a customer’s device.

Kernel boundary A non-administrative user mode process can't access or tamper with
kernel code and data. Administrator-to-kernel is not a security boundary.

Process boundary An unauthorized user mode process can't access or tamper with the
code and data of another process.

AppContainer An AppContainer-based sandbox process can't access or tamper with

sandbox boundary code and data outside of the sandbox based on the container
 Security boundary Description

capabilities.

User boundary A user can't access or tamper with the code and data of another user
without being authorized.

Session boundary A user session can't access or tamper with another user session without
being authorized.

Web browser An unauthorized website can't violate the same-origin policy, nor can it
boundary access or tamper with the native code and data of the Microsoft Edge
web browser sandbox.

Virtual machine An unauthorized Hyper-V guest virtual machine can't access or tamper
boundary with the code and data of another guest virtual machine; this includes
Hyper-V isolated containers.

Virtual Secure Mode Code running outside of the VSM trusted process or enclave can't access
(VSM) boundary or tamper with data and code within the trusted process.

Recommended security boundaries for Azure Virtual

Desktop scenarios
You'll also need to make certain choices about security boundaries on a case-by-case
basis. For example, if a user in your organization needs local administrator privileges to
install apps, you'll need to give them a personal desktop instead of a shared session
host. We don't recommend giving users local administrator privileges in multi-session
pooled scenarios because these users can cross security boundaries for sessions or NTFS
data permissions, shut down multi-session VMs, or do other things that could interrupt
service or cause data losses.

Users from the same organization, like knowledge workers with apps that don't require
administrator privileges, are great candidates for multi-session session hosts like
Windows 11 Enterprise multi-session. These session hosts reduce costs for your
organization because multiple users can share a single VM, with only the overhead costs
of a VM per user. With user profile management products like FSLogix, users can be
assigned any VM in a host pool without noticing any service interruptions. This feature
also lets you optimize costs by doing things like shutting down VMs during off-peak
hours.

If your situation requires users from different organizations to connect to your

deployment, we recommend you have a separate tenant for identity services like Active
Directory and Microsoft Entra ID. We also recommend you have a separate subscription
for those users for hosting Azure resources like Azure Virtual Desktop and VMs.
In many cases, using multi-session is an acceptable way to reduce costs, but whether we
recommend it depends on the trust level between users with simultaneous access to a
shared multi-session instance. Typically, users that belong to the same organization
have a sufficient and agreed-upon trust relationship. For example, a department or
workgroup where people collaborate and can access each other’s personal information
is an organization with a high trust level.

Windows uses security boundaries and controls to ensure user processes and data are
isolated between sessions. However, Windows still provides access to the instance the
user is working on.

Multi-session deployments would benefit from a security in depth strategy that adds
more security boundaries that prevent users within and outside of the organization from
getting unauthorized access to other users' personal information. Unauthorized data
access happens because of an error in the configuration process by the system admin,
such as an undisclosed security vulnerability or a known vulnerability that hasn't been
patched out yet.

We don't recommend granting users that work for different or competing companies
access to the same multi-session environment. These scenarios have several security
boundaries that can be attacked or abused, like network, kernel, process, user, or
sessions. A single security vulnerability could cause unauthorized data and credential
theft, personal information leaks, identity theft, and other issues. Virtualized
environment providers are responsible for offering well-designed systems with multiple
strong security boundaries and extra safety features enabled wherever possible.

Reducing these potential threats requires a fault-proof configuration, patch

management design process, and regular patch deployment schedules. It's better to
follow the principles of defense in depth and keep environments separate.

The following table summarizes our recommendations for each scenario.

ﾉ Expand table

Trust level scenario Recommended solution

Users from one organization with Use a Windows Enterprise multi-session operating
standard privileges system (OS).

Users require administrative privileges Use a personal host pool and assign each user their
own session host.

Users from different organizations Separate Azure tenant and Azure subscription
connecting
Azure security best practices
Azure Virtual Desktop is a service under Azure. To maximize the safety of your Azure
Virtual Desktop deployment, you should make sure to secure the surrounding Azure
infrastructure and management plane as well. To secure your infrastructure, consider
how Azure Virtual Desktop fits into your larger Azure ecosystem. To learn more about
the Azure ecosystem, see Azure security best practices and patterns.

Today's threat landscape requires designs with security approaches in mind. Ideally,
you'll want to build a series of security mechanisms and controls layered throughout
your computer network to protect your data and network from being compromised or
attacked. This type of security design is what the United States Cybersecurity and
Infrastructure Security Agency (CISA) calls defense in depth.

The following sections contain recommendations for securing an Azure Virtual Desktop
deployment.

Enable Microsoft Defender for Cloud

We recommend enabling Microsoft Defender for Cloud's enhanced security features to:

Manage vulnerabilities.
Assess compliance with common frameworks like from the PCI Security Standards
Council.
Strengthen the overall security of your environment.

To learn more, see Enable enhanced security features.

Improve your Secure Score

Secure Score provides recommendations and best practice advice for improving your
overall security. These recommendations are prioritized to help you pick which ones are
most important, and the Quick Fix options help you address potential vulnerabilities
quickly. These recommendations also update over time, keeping you up to date on the
best ways to maintain your environment’s security. To learn more, see Improve your
Secure Score in Microsoft Defender for Cloud.

Require multifactor authentication

Requiring multifactor authentication for all users and admins in Azure Virtual Desktop
improves the security of your entire deployment. To learn more, see Enable Microsoft
Entra multifactor authentication for Azure Virtual Desktop.
Enable Conditional Access
Enabling Conditional Access lets you manage risks before you grant users access to your
Azure Virtual Desktop environment. When deciding which users to grant access to, we
recommend you also consider who the user is, how they sign in, and which device
they're using.

Collect audit logs

Enabling audit log collection lets you view user and admin activity related to Azure
Virtual Desktop. Some examples of key audit logs are:

Azure Activity Log

Microsoft Entra Activity Log
Microsoft Entra ID
Session hosts
Key Vault logs

Monitor usage with Azure Monitor

Monitor your Azure Virtual Desktop service's usage and availability with Azure
Monitor . Consider creating service health alerts for the Azure Virtual Desktop service
to receive notifications whenever there's a service impacting event.

Encrypt your session hosts

Encrypt your session hosts with managed disk encryption options to protect stored data
from unauthorized access.

Session host security best practices

Session hosts are virtual machines that run inside an Azure subscription and virtual
network. Your Azure Virtual Desktop deployment's overall security depends on the
security controls you put on your session hosts. This section describes best practices for
keeping your session hosts secure.

Enable endpoint protection

To protect your deployment from known malicious software, we recommend enabling
endpoint protection on all session hosts. You can use either Windows Defender Antivirus
or a third-party program. For more information, see Deployment guide for Windows
Defender Antivirus in a VDI environment.

For profile solutions like FSLogix or other solutions that mount virtual hard disk files, we
recommend excluding those file extensions. For more information, see

Install an endpoint detection and response product

We recommend you install an endpoint detection and response (EDR) product to
provide advanced detection and response capabilities. For server operating systems with
Microsoft Defender for Cloud enabled, installing an EDR product will deploy Microsoft
Defender for Endpoint. For client operating systems, you can deploy Microsoft Defender
for Endpoint or a third-party product to those endpoints.

Enable threat and vulnerability management assessments

Identifying software vulnerabilities that exist in operating systems and applications is
critical to keeping your environment secure. Microsoft Defender for Cloud can help you
identify problem spots through Microsoft Defender for Endpoint's threat and
vulnerability management solution. You can also use third-party products if you're so
inclined, although we recommend using Microsoft Defender for Cloud and Microsoft
Defender for Endpoint.

Patch software vulnerabilities in your environment

Once you identify a vulnerability, you must patch it. This applies to virtual environments
as well, which includes the running operating systems, the applications that are
deployed inside of them, and the images you create new machines from. Follow your
vendor patch notification communications and apply patches in a timely manner. We
recommend patching your base images monthly to ensure that newly deployed
machines are as secure as possible.

Establish maximum inactive time and disconnection

policies
Signing users out when they're inactive preserves resources and prevents access by
unauthorized users. We recommend that timeouts balance user productivity as well as
resource usage. For users that interact with stateless applications, consider more
aggressive policies that turn off machines and preserve resources. Disconnecting long
running applications that continue to run if a user is idle, such as a simulation or CAD
rendering, can interrupt the user's work and may even require restarting the computer.

Set up screen locks for idle sessions

You can prevent unwanted system access by configuring Azure Virtual Desktop to lock a
machine's screen during idle time and requiring authentication to unlock it.

Establish tiered admin access

We recommend you don't grant your users admin access to virtual desktops. If you need
software packages, we recommend you make them available through configuration
management utilities like Microsoft Intune. In a multi-session environment, we
recommend you don't let users install software directly.

Consider which users should access which resources

Consider session hosts as an extension of your existing desktop deployment. We
recommend you control access to network resources the same way you would for other
desktops in your environment, such as using network segmentation and filtering. By
default, session hosts can connect to any resource on the internet. There are several
ways you can limit traffic, including using Azure Firewall, Network Virtual Appliances, or
proxies. If you need to limit traffic, make sure you add the proper rules so that Azure
Virtual Desktop can work properly.

Manage Microsoft 365 app security

In addition to securing your session hosts, it's important to also secure the applications
running inside of them. Microsoft 365 apps are some of the most common applications
deployed in session hosts. To improve the Microsoft 365 deployment security, we
recommend you use the Security Policy Advisor for Microsoft 365 Apps for enterprise.
This tool identifies policies that can you can apply to your deployment for more security.
Security Policy Advisor also recommends policies based on their impact to your security
and productivity.

User profile security

User profiles can contain sensitive information. You should restrict who has access to
user profiles and the methods of accessing them, especially if you're using FSLogix
Profile Container to store user profiles in a virtual hard disk file on an SMB share. You
should follow the security recommendations for the provider of your SMB share. For
example, If you're using Azure Files to store these virtual hard disk files, you can use
private endpoints to make them only accessible within an Azure virtual network.

Other security tips for session hosts

By restricting operating system capabilities, you can strengthen the security of your
session hosts. Here are a few things you can do:

Control device redirection by redirecting drives, printers, and USB devices to a

user's local device in a remote desktop session. We recommend that you evaluate
your security requirements and check if these features ought to be disabled or not.

Restrict Windows Explorer access by hiding local and remote drive mappings. This
prevents users from discovering unwanted information about system configuration
and users.

Avoid direct RDP access to session hosts in your environment. If you need direct
RDP access for administration or troubleshooting, enable just-in-time access to
limit the potential attack surface on a session host.

Grant users limited permissions when they access local and remote file systems.
You can restrict permissions by making sure your local and remote file systems use
access control lists with least privilege. This way, users can only access what they
need and can't change or delete critical resources.

Prevent unwanted software from running on session hosts. You can enable App
Locker for additional security on session hosts, ensuring that only the apps you
allow can run on the host.

Trusted launch
Trusted launch are Azure VMs with enhanced security features aimed to protect against
persistent attack techniques such as bottom-of-the-stack threats through attack vectors
such as rootkits, boot kits, and kernel-level malware. It allows for secure deployment of
VMs with verified boot loaders, OS kernels, and drivers, and also protects keys,
certificates, and secrets in the VMs. Learn more about trusted launch at Trusted launch
for Azure virtual machines.

When you add session hosts using the Azure portal, the default security type is Trusted
virtual machines. This ensures that your VM meets the mandatory requirements for
Windows 11. For more information about these requirements, see Virtual machine
support.

Azure confidential computing virtual machines

Azure Virtual Desktop support for Azure confidential computing virtual machines
ensures a user's virtual desktop is encrypted in memory, protected in use, and backed
by a hardware root of trust.

Deploying confidential virtual machines with Azure Virtual Desktop gives users access to
Microsoft 365 and other applications on session hosts that use hardware-based
isolation, which hardens isolation from other virtual machines, the hypervisor, and the
host OS. Memory encryption keys are generated and safeguarded by a dedicated secure
processor inside the CPU that can't be read from software. For more information,
including the VM sizes available, see the Azure confidential computing overview.

The following operating systems are supported for use as session hosts with confidential
virtual machines on Azure Virtual Desktop, for versions that are in active support. For
support dates, see Microsoft Lifecycle Policy.

Windows 11 Enterprise
Windows 11 Enterprise multi-session
Windows 10 Enterprise
Windows 10 Enterprise multi-session
Windows Server 2022
Windows Server 2019

You can create session hosts using confidential virtual machines when you deploy Azure
Virtual Desktop or add session hosts to a host pool.

Operating system disk encryption

Encrypting the operating system disk is an extra layer of encryption that binds disk
encryption keys to the confidential computing VM's Trusted Platform Module (TPM).
This encryption makes the disk content accessible only to the VM. Integrity monitoring
allows cryptographic attestation and verification of VM boot integrity and monitoring
alerts if the VM didn’t boot because attestation failed with the defined baseline. For
more information about integrity monitoring, see Microsoft Defender for Cloud
Integration. You can enable confidential compute encryption when you create session
hosts using confidential VMs when you create a host pool or add session hosts to a host
pool.
Secure Boot
Secure Boot is a mode that platform firmware supports that protects your firmware from
malware-based rootkits and boot kits. This mode only allows signed operating systems
and drivers to boot.

Monitor boot integrity using Remote

Attestation
Remote attestation is a great way to check the health of your VMs. Remote attestation
verifies that Measured Boot records are present, genuine, and originate from the Virtual
Trusted Platform Module (vTPM). As a health check, it provides cryptographic certainty
that a platform started up correctly.

vTPM
A vTPM is a virtualized version of a hardware Trusted Platform Module (TPM), with a
virtual instance of a TPM per VM. vTPM enables remote attestation by performing
integrity measurement of the entire boot chain of the VM (UEFI, OS, system, and
drivers).

We recommend enabling vTPM to use remote attestation on your VMs. With vTPM
enabled, you can also enable BitLocker functionality with Azure Disk Encryption, which
provides full-volume encryption to protect data at rest. Any features using vTPM will
result in secrets bound to the specific VM. When users connect to the Azure Virtual
Desktop service in a pooled scenario, users can be redirected to any VM in the host
pool. Depending on how the feature is designed this may have an impact.

７ Note

BitLocker shouldn't be used to encrypt the specific disk where you're storing your
FSLogix profile data.

Virtualization-based Security
Virtualization-based Security (VBS) uses the hypervisor to create and isolate a secure
region of memory that's inaccessible to the OS. Hypervisor-Protected Code Integrity
(HVCI) and Windows Defender Credential Guard both use VBS to provide increased
protection from vulnerabilities.
Hypervisor-Protected Code Integrity
HVCI is a powerful system mitigation that uses VBS to protect Windows kernel-mode
processes against injection and execution of malicious or unverified code.

Windows Defender Credential Guard

Enable Windows Defender Credential Guard. Windows Defender Credential Guard uses
VBS to isolate and protect secrets so that only privileged system software can access
them. This prevents unauthorized access to these secrets and credential theft attacks,
such as Pass-the-Hash attacks. For more information, see Credential Guard overview.

Windows Defender Application Control

Enable Windows Defender Application Control. Windows Defender Application Control
is designed to protect devices against malware and other untrusted software. It prevents
malicious code from running by ensuring that only approved code, that you know, can
be run. For more information, see Application Control for Windows.

７ Note

When using Windows Defender Access Control, we recommend only targeting

policies at the device level. Although it's possible to target policies to individual
users, once the policy is applied, it affects all users on the device equally.

Windows Update
Keep your session hosts up to date with updates from Windows Update. Windows
Update provides a secure way to keep your devices up-to-date. Its end-to-end
protection prevents manipulation of protocol exchanges and ensures updates only
include approved content. You may need to update firewall and proxy rules for some of
your protected environments in order to get proper access to Windows Updates. For
more information, see Windows Update security.

Remote Desktop client and updates on other

OS platforms
Software updates for the Remote Desktop clients you can use to access Azure Virtual
Desktop services on other OS platforms are secured according to the security policies of
their respective platforms. All client updates are delivered directly by their platforms. For
more information, see the respective store pages for each app:

macOS
iOS
Android

Next steps
Learn how to Set up multifactor authentication.
Apply Zero Trust principles for an Azure Virtual Desktop deployment.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Data locations for Azure Virtual Desktop
Article • 10/22/2024

Azure Virtual Desktop is available in many Azure regions, which are grouped by
geography. When Azure Virtual Desktop resources are deployed, you have to specify the
Azure region they'll be created in. The location of the resource determines where its
information will be stored and the geography where related information will be stored.
Azure Virtual Desktop itself is a non-regional service where there's no dependency on a
specific Azure region. Learn more about Data residency in Azure and Azure
geographies .

Azure Virtual Desktop stores various information for service objects, such as host pool
names, application group names, workspace names, and user principal names. Data is
categorized into different types, such as customer input, customer data, diagnostic data,
and service-generated data. For more information about data category definitions, see
How Microsoft categorizes data for online services .

７ Note

Microsoft doesn't control or limit the regions where you or your users can access
your user and app-specific data.

Customer input data

To set up Azure Virtual Desktop, you must create host pools and other service objects.
During configuration, you must enter information such as the host pool name,
application group name, and so on. This information is considered customer input data.
Customer input data is stored in the geography associated with the Azure region the
resource is created in. Stored data includes all data that you input into the host pool
deployment process and any data you add after deployment while making configuration
changes to Azure Virtual Desktop objects, and is the same data you can access using the
Azure Virtual Desktop portal, PowerShell, or Azure command-line interface (CLI). For
example, you can review the available PowerShell commands to get an idea of what
customer input data the Azure Virtual Desktop service stores.

Azure Resource Manager paths to service objects are considered organizational

information, so data residency doesn't apply to them. Data about Azure Resource
Manager paths is stored outside of the chosen geography.
Customer data
The Azure Virtual Desktop service doesn't directly store any user data or application-
related data, such as user-created Word documents, databases or configuration files.
However, it does store customer data, such as application names, virtual machine names
and user principal names, because they're part of the resource deployment process, as
described in Customer input data. This information is stored in the geography
associated with the Azure region in which you created the resource. For more
information, see Data locations.

Diagnostic data
Diagnostic data is generated by the Azure Virtual Desktop service and is gathered
whenever administrators or users interact with the service. This data is only used for
troubleshooting, support, and checking the health of the service in aggregate form. For
example, when a session host VM is registered to a host pool, information is generated
that includes the virtual machine (VM) name, which host pool the VM belongs to, and so
on. This information is stored in the geography associated with the Azure region the
host pool is created in. Also, when a user connects to the service and launches a session,
diagnostic information is generated that includes the user principal name, client
location, client IP address, which host pool the user is connecting to, and so on. This
information is sent to two different locations:

The location closest to the user where the service infrastructure (client traces, user
traces, and diagnostic data) is present.
The location where the host pool is located.

Service-generated data
To keep Azure Virtual Desktop reliable and scalable, traffic patterns and usage are
aggregated to check the health and performance of the infrastructure control plane. For
example, to help us understand how to ramp up regional infrastructure capacity as
service usage increases, we process service usage log data. We then review the logs for
peak times and decide where to increase capacity.

Data locations
Storing customer data and service-generated data is currently supported in the
following geographies:
 United States (US)
Europe (EU)
United Kingdom (UK)
Canada (CA)
Japan (JP)
Australia (AU)
India (IN)

In addition, service-generated data is aggregated from all locations where the service
infrastructure is, and sent to the US geography. The data sent to the US includes
scrubbed data. Customer data isn't aggregated.

Data storage
Stored information is encrypted at rest, and geo-redundant mirrors are maintained
within the geography. Data generated by the Azure Virtual Desktop service is replicated
within the Azure geography for disaster recovery purposes.

User-created or app-related information, such as app settings and user data, resides in
the Azure region you choose and isn't managed by the Azure Virtual Desktop service.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Prerequisites for Azure Virtual Desktop
Article • 09/17/2024

There are a few things you need to start using Azure Virtual Desktop. Here you can find
what prerequisites you need to complete to successfully provide your users with
desktops and applications.

At a high level, you need:

＂ An Azure account with an active subscription

＂ A supported identity provider
＂ A supported operating system for session host virtual machines
＂ Appropriate licenses
＂ Network connectivity
＂ A Remote Desktop client

Azure account with an active subscription

You need an Azure account with an active subscription to deploy Azure Virtual Desktop.
If you don't have one already, you can create an account for free .

To deploy Azure Virtual Desktop, you need to assign the relevant Azure role-based
access control (RBAC) roles. The specific role requirements are covered in each of the
related articles for deploying Azure Virtual Desktop, which are listed in the Next steps
section.

Also make sure you've registered the Microsoft.DesktopVirtualization resource provider

for your subscription. To check the status of the resource provider and register if
needed, select the relevant tab for your scenario and follow the steps.

） Important

You must have permission to register a resource provider, which requires the
*/register/action operation. This is included if your account is assigned the

contributor or owner role on your subscription.

Azure portal

1. Sign in to the Azure portal .

 2. Select Subscriptions.

3. Select the name of your subscription.

4. Select Resource providers.

5. Search for Microsoft.DesktopVirtualization.

6. If the status is NotRegistered, select Microsoft.DesktopVirtualization, and then

select Register.

7. Verify that the status of Microsoft.DesktopVirtualization is Registered.

Identity
To access desktops and applications from your session hosts, your users need to be able
to authenticate. Microsoft Entra ID is Microsoft's centralized cloud identity service that
enables this capability. Microsoft Entra ID is always used to authenticate users for Azure
Virtual Desktop. Session hosts can be joined to the same Microsoft Entra tenant, or to
an Active Directory domain using Active Directory Domain Services (AD DS) or Microsoft
Entra Domain Services, providing you with a choice of flexible configuration options.

Session hosts
You need to join session hosts that provide desktops and applications to the same
Microsoft Entra tenant as your users, or an Active Directory domain (either AD DS or
Microsoft Entra Domain Services).

７ Note

For Azure Stack HCI, you can only join session hosts to an Active Directory Domain
Services domain. You can only join session hosts on Azure Stack HCI to an Active
Directory Domain Services (AD DS) domain. This includes using Microsoft Entra
hybrid join, where you can benefit from some of the functionality provided by
Microsoft Entra ID.

To join session hosts to Microsoft Entra ID or an Active Directory domain, you need the
following permissions:

For Microsoft Entra ID, you need an account that can join computers to your
tenant. For more information, see Manage device identities. To learn more about
 joining session hosts to Microsoft Entra ID, see Microsoft Entra joined session
hosts.

For an Active Directory domain, you need a domain account that can join
computers to your domain. For Microsoft Entra Domain Services, you would need
to be a member of the AAD DC Administrators group.

Users
Your users need accounts that are in Microsoft Entra ID. If you're also using AD DS or
Microsoft Entra Domain Services in your deployment of Azure Virtual Desktop, these
accounts need to be hybrid identities, which means the user accounts are synchronized.
You need to keep the following things in mind based on which identity provider you
use:

If you're using Microsoft Entra ID with AD DS, you need to configure Microsoft
Entra Connect to synchronize user identity data between AD DS and Microsoft
Entra ID.
If you're using Microsoft Entra ID with Microsoft Entra Domain Services, user
accounts are synchronized one way from Microsoft Entra ID to Microsoft Entra
Domain Services. This synchronization process is automatic.

） Important

The user account must exist in the Microsoft Entra tenant you use for Azure Virtual
Desktop. Azure Virtual Desktop doesn't support B2B, B2C, or personal Microsoft
accounts.

When using hybrid identities, either the UserPrincipalName (UPN) or the Security
Identifier (SID) must match across Active Directory Domain Services and Microsoft
Entra ID. For more information, see Supported identities and authentication
methods.

Supported identity scenarios

The following table summarizes identity scenarios that Azure Virtual Desktop currently
supports:

ﾉ Expand table
 Identity scenario Session hosts User accounts

Microsoft Entra ID + AD DS Joined to AD DS In Microsoft Entra ID and AD DS,

synchronized

Microsoft Entra ID + AD DS Joined to Microsoft In Microsoft Entra ID and AD DS,

Entra ID synchronized

Microsoft Entra ID + Microsoft Joined to Microsoft In Microsoft Entra ID and Microsoft

Entra Domain Services Entra Domain Services Entra Domain Services, synchronized

Microsoft Entra ID + Microsoft Joined to Microsoft In Microsoft Entra ID and AD DS,

Entra Domain Services + AD DS Entra Domain Services synchronized

Microsoft Entra ID + Microsoft Joined to Microsoft In Microsoft Entra ID and Microsoft

Entra Domain Services Entra ID Entra Domain Services, synchronized

Microsoft Entra-only Joined to Microsoft In Microsoft Entra ID

Entra ID

For more detailed information about supported identity scenarios, including single sign-
on and multifactor authentication, see Supported identities and authentication methods.

FSLogix Profile Container

To use FSLogix Profile Container when joining your session hosts to Microsoft Entra ID,
you need to store profiles on Azure Files or Azure NetApp Files and your user accounts
must be hybrid identities. You must create these accounts in AD DS and synchronize
them to Microsoft Entra ID. To learn more about deploying FSLogix Profile Container
with different identity scenarios, see the following articles:

Set up FSLogix Profile Container with Azure Files and Active Directory Domain
Services or Microsoft Entra Domain Services.
Set up FSLogix Profile Container with Azure Files and Microsoft Entra ID.
Set up FSLogix Profile Container with Azure NetApp Files

Deployment parameters
You need to enter the following identity parameters when deploying session hosts:

Domain name, if using AD DS or Microsoft Entra Domain Services.

Credentials to join session hosts to the domain.
Organizational Unit (OU), which is an optional parameter that lets you place
session hosts in the desired OU at deployment time.
 ） Important

The account you use for joining a domain can't have multi-factor authentication
(MFA) enabled.

Operating systems and licenses

You have a choice of operating systems (OS) that you can use for session hosts to
provide desktops and applications. You can use different operating systems with
different host pools to provide flexibility to your users. We support the 64-bit operating
systems and SKUs in the following table lists (where supported versions and dates are
inline with the Microsoft Lifecycle Policy), along with the licensing methods applicable
for each commercial purpose:

ﾉ Expand table

Operating system Licensing method Licensing method

(64-bit only) (Internal commercial (External commercial
purposes) purposes)

Windows 11 Enterprise
multi-session
Windows 11 Enterprise
Windows 10 Enterprise
multi-session
Windows 10 Enterprise
Microsoft 365 E3, E5, A3, Per-user access pricing
A5, F3, Business by enrolling an Azure
Premium, Student Use subscription.
Benefit
Windows Enterprise E3,
E5
Windows Education A3,
A5
Windows VDA per user

Windows Server 2022 Remote Desktop Windows Server 2022

Windows Server 2019
Windows Server 2016
Services (RDS) Client RDS Subscriber Access
Access License (CAL) License (SAL).
with Software Assurance
(per-user or per-device)
RDS User Subscription Per-user access pricing isn't
Licenses. available for Windows Server
operating systems.

To learn more about licenses you can use, including per-user access pricing, see
Licensing Azure Virtual Desktop.

） Important
 The following items are not supported:
32-bit operating systems.
N, KN, LTSC, and other editions of Windows operating systems not listed in
the previous table.
Ultra disks for the OS disk type.
Ephemeral OS disks for Azure VMs.
Virtual Machine Scale Sets.

Support for Windows 7 ended on January 10, 2023.

Support for Windows Server 2012 R2 ended on October 10, 2023.

For Azure, you can use operating system images provided by Microsoft in the Azure
Marketplace , or create your own custom images stored in an Azure Compute Gallery
or as a managed image. Using custom image templates for Azure Virtual Desktop
enables you to easily create a custom image that you can use when deploying session
host virtual machines (VMs). To learn more about how to create custom images, see:

Custom image templates in Azure Virtual Desktop

Store and share images in an Azure Compute Gallery.
Create a managed image of a generalized VM in Azure.

Alternatively, for Azure Stack HCI you can use operating system images from:

Azure Marketplace. For more information, see Create Azure Stack HCI VM image
using Azure Marketplace images.
Azure Storage account. For more information, see Create Azure Stack HCI VM
image using image in Azure Storage account.
A local share. For more information, see Create Azure Stack HCI VM image using
images in a local share.

You can deploy a virtual machines (VMs) to be used as session hosts from these images
with any of the following methods:

Automatically, as part of the host pool setup process in the Azure portal.
Manually by adding session hosts to an existing host pool in the Azure portal.
Programmatically, with Azure CLI or Azure PowerShell.

If your license entitles you to use Azure Virtual Desktop, you don't need to install or
apply a separate license, however if you're using per-user access pricing for external
users, you need to enroll an Azure Subscription. You need to make sure the Windows
license used on your session hosts is correctly assigned in Azure and the operating
system is activated. For more information, see Apply Windows license to session host
virtual machines.

For session hosts on Azure Stack HCI, you must license and activate the virtual machines
you use before you use them with Azure Virtual Desktop. For activating Windows 10 and
Windows 11 Enterprise multi-session, and Windows Server 2022 Datacenter: Azure
Edition, use Azure verification for VMs. For all other OS images (such as Windows 10 and
Windows 11 Enterprise, and other editions of Windows Server), you should continue to
use existing activation methods. For more information, see Activate Windows Server
VMs on Azure Stack HCI.

７ Note

To ensure continued functionality with the latest security update, update your VMs
on Azure Stack HCI to the latest cumulative update by June 17, 2024. This update is
essential for VMs to continue using Azure benefits. For more information, see
Azure verification for VMs.

 Tip

To simplify user access rights during initial development and testing, Azure Virtual
Desktop supports Azure Dev/Test pricing . If you deploy Azure Virtual Desktop in
an Azure Dev/Test subscription, end users may connect to that deployment without
separate license entitlement in order to perform acceptance tests or provide
feedback.

Network
There are several network requirements you need to meet to successfully deploy Azure
Virtual Desktop. This lets users connect to their desktops and applications while also
giving them the best possible user experience.

Users connecting to Azure Virtual Desktop securely establish a reverse connection to the
service, which means you don't need to open any inbound ports. Transmission Control
Protocol (TCP) on port 443 is used by default, however RDP Shortpath can be used for
managed networks and public networks that establishes a direct User Datagram
Protocol (UDP)-based transport.

To successfully deploy Azure Virtual Desktop, you need to meet the following network
requirements:
 You need a virtual network and subnet for your session hosts. If you create your
session hosts at the same time as a host pool, you must create this virtual network
in advance for it to appear in the drop-down list. Your virtual network must be in
the same Azure region as the session host.

Make sure this virtual network can connect to your domain controllers and relevant
DNS servers if you're using AD DS or Microsoft Entra Domain Services, since you
need to join session hosts to the domain.

Your session hosts and users need to be able to connect to the Azure Virtual
Desktop service. These connections also use TCP on port 443 to a specific list of
URLs. For more information, see Required URL list. You must make sure these URLs
aren't blocked by network filtering or a firewall in order for your deployment to
work properly and be supported. If your users need to access Microsoft 365, make
sure your session hosts can connect to Microsoft 365 endpoints.

Also consider the following:

Your users might need access to applications and data that is hosted on different
networks, so make sure your session hosts can connect to them.

Round-trip time (RTT) latency from the client's network to the Azure region that
contains the host pools should be less than 150 ms. To see which locations have
the best latency, look up your desired location in Azure network round-trip latency
statistics. To optimize for network performance, we recommend you create session
hosts in the Azure region closest to your users.

Use Azure Firewall for Azure Virtual Desktop deployments to help you lock down
your environment and filter outbound traffic.

To help secure your Azure Virtual Desktop environment in Azure, we recommend

you don't open inbound port 3389 on your session hosts. Azure Virtual Desktop
doesn't require an open inbound port to be open. If you must open port 3389 for
troubleshooting purposes, we recommend you use just-in-time VM access. We
also recommend you don't assign a public IP address to your session hosts.

To learn more, see Understanding Azure Virtual Desktop network connectivity.

７ Note

To keep Azure Virtual Desktop reliable and scalable, we aggregate traffic patterns
and usage to check the health and performance of the infrastructure control plane.
We aggregate this information from all locations where the service infrastructure is,
then send it to the US region. The data sent to the US region includes scrubbed
 data, but not customer data. For more information, see Data locations for Azure
Virtual Desktop.

Session host management

Consider the following points when managing session hosts:

Don't enable any policies or configurations that disable Windows Installer. If you
disable Windows Installer, the service can't install agent updates on your session
hosts, and your session hosts won't function properly.

If you're joining session hosts to an AD DS domain and you want to manage them
using Intune, you need to configure Microsoft Entra Connect to enable Microsoft
Entra hybrid join.

If you're joining session hosts to a Microsoft Entra Domain Services domain, you
can't manage them using Intune.

If you're using Microsoft Entra join with Windows Server for your session hosts,
you can't enroll them in Intune as Windows Server isn't supported with Intune. You
need to use Microsoft Entra hybrid join and Group Policy from an Active Directory
domain, or local Group Policy on each session host.

Azure regions
You can deploy host pools, workspaces, and application groups in the following Azure
regions. This list of regions is where the metadata for the host pool can be stored.
However, session hosts for the user sessions can be located in any Azure region, and on-
premises when using Azure Virtual Desktop on Azure Stack HCI, enabling you to deploy
compute resources close to your users. For more information about the types of data
and locations, see Data locations for Azure Virtual Desktop.

Australia East
Canada Central
Canada East
Central India
Central US
East US
East US 2
Japan East
North Central US
 North Europe
South Central US
UK South
UK West
West Central US
West Europe
West US
West US 2
West US 3

Azure Virtual Desktop is also available in sovereign clouds, such as Azure for US
Government and Azure operated by 21Vianet in China.

To learn more about the architecture and resilience of the Azure Virtual Desktop service,
see Azure Virtual Desktop service architecture and resilience.

Remote Desktop clients

Your users need a Remote Desktop client to connect to desktops and applications. The
following clients support Azure Virtual Desktop:

Windows Desktop client

Azure Virtual Desktop Store app for Windows
Web client
macOS client
iOS and iPadOS client
Android and Chrome OS client
Remote Desktop app for Windows

） Important

Azure Virtual Desktop doesn't support connections from the RemoteApp and
Desktop Connections (RADC) client or the Remote Desktop Connection (MSTSC)
client.

To learn which URLs clients use to connect and that you must allow through firewalls
and internet filters, see the Required URL list.

Next steps
 For a simple way to get started with Azure Virtual Desktop by creating a sample
infrastructure, see Tutorial: Deploy a sample Azure Virtual Desktop infrastructure
with a Windows 11 desktop.

For a more in-depth and adaptable approach to deploying Azure Virtual Desktop,
see Deploy Azure Virtual Desktop.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Host pool management approaches for
Azure Virtual Desktop
Article • 11/19/2024

） Important

Host pools with a session host configuration for Azure Virtual Desktop are currently
in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews
for legal terms that apply to Azure features that are in beta, preview, or otherwise
not yet released into general availability.

Host pools are logical groupings of session host virtual machines that have the same
configuration and serve the same workload. You can choose one of two host pool
management approaches, standard and using a session host configuration (preview). In
this article, you learn about each management approach and the differences between
them to help you decide which one to use.

Ｕ Caution

Currently the host pool management approach is set when you create a host pool
and can't be changed later. The management approach is stored in the host pool's
properties. Later in the preview for using a session host configuration, we plan to
enable any host pool to use a session host configuration.

Session host configuration management

approach
Creating, updating, and scaling session hosts in a host pool can require much effort if
you don't have existing tools and processes in place. The session host configuration
management approach uses a combination of the following native features to provide
an integrated and dynamic experience:

A session host configuration specifies what the configuration of session hosts

should be.

A session host management policy specifies how session hosts should be created
and updated.
 Session host update updates session hosts when there's an update made to the
session host configuration. Session host update ensures that all session hosts in
the pool have the same configuration.

Autoscale dynamically scales the number of session hosts up and down based on
the actual usage and the schedules defined in the scaling plan.

） Important

The session host configuration management approach can be used with

pooled host pools only. When using a host pool with a session host
configuration, you can't create, update or scale session hosts outside of the
Azure Virtual Desktop service using tools designed for host pools with
standard management.

You can only join session hosts to an Active Directory domain. Joining session
hosts to Microsoft Entra ID isn't supported, but you can use Microsoft Entra
hybrid join.

Session host configuration

A session host configuration is a sub-resource of the session host configuration
management approach that specifies the configuration of session hosts in the host pool.
The session host configuration persists throughout the lifecycle of the host pool and is
aligned with the session hosts in the host pool. The session host configuration includes
the following properties:

VM image
VM name prefix
VM resource group
VM size
OS disk information
Domain join information
VM network configuration
VM location
VM availability zones
VM security type
VM admin credentials
VM name prefix
VM boot diagnostics information
 Custom configuration PowerShell script
VM Tags

Any newly created session hosts are created from the session host configuration for the
host pool. To update the session hosts in your host pool, first you must update the
session host configuration. After updating the session host configuration, you schedule
when you would like that update to be applied to the session hosts in the host pool
using the session host update feature. If there are no session hosts in the host pool, any
property of the session host configuration can be changed without needing to schedule
a session host update.

For a comparison of host pool with a session host configuration and a host pool with
standard management, see Compare host pool management approaches.

Session host management policy

A session host management policy is a sub-resource of a host pool that specifies how
session hosts in the host pool should be updated. The session host management policy
persists throughout the lifetime of the host pool and used by session host update when
updating the session hosts in the host pool. Each host pool with a session host
configuration only has a single session host management policy, and you can't delete a
session host management policy independently of the host pool.

When you use the Azure portal, a default session host management policy is created
when you create a host pool with a session host configuration. You can override its
values when updating session hosts, or you can also update the session host
management policy at any time using PowerShell.

The session host management policy includes the following parameters:

ﾉ Expand table

Parameter Description Azure

portal
default
value

Time zone The time zone to use when scheduling an update of the UTC
session hosts in a host pool.

Save original VM Determines whether to save the original virtual machine (VM) The original
before the update. This parameter is useful in rollback VM is saved.
scenarios, but normal costs apply for storing the original VM's
components.
 Parameter Description Azure
portal
default
value

Max VMs The maximum number of session hosts to update 1

removed during concurrently, also known as the batch size.
update

Logoff delay in The amount of time to wait after an update start time for 2
minutes users to be notified to sign out, between 0 and 60 minutes.
Users will automatically be signed out after this time elapses.

Logoff message A message to display to users that the session host they're You will be
connected to will be updated. signed out

Standard management approach

With the standard host pool management approach, you manage creating, updating,
and scaling session hosts in a host pool. If you want to use existing tools and processes,
such as automated pipelines, custom scripts, you need to use the standard host pool
management type. Existing tooling designed for standard management won't work with
a session host configuration. For a comparison of host pool with a session host
configuration and a host pool with standard management, see Compare host pool
management approaches.

Compare host pool management approaches

The following table compares the management approach of host pools with a session
host configuration and host pools with standard management in different scenarios or
when using different features of Azure Virtual Desktop:

ﾉ Expand table

Scenario or Session host configuration Standard management

feature

Create session Add session hosts using the Azure
hosts portal based on the session host
configuration. You can't retrieve a
registration token to add session hosts
created outside of Azure Virtual
Desktop to a host pool.
Add session hosts using your
preferred method, then use a
registration token to add them to a
host pool. If you use the Azure
portal, you need to input the
configuration each time.
 Scenario or Session host configuration Standard management
feature

Configure The session host configuration ensures You have to ensure the configuration
session hosts the configuration of session hosts is of session hosts in the host pool is
consistent. consistent. Session host
configuration isn't available.

Scale session Use autoscale to turn session hosts on Use autoscale to turn session hosts
hosts and off or create and delete session on and off based on a schedule and
hosts based on a schedule and usage. usage.

Update session Use session host update to update the
host image image and configuration of your
session hosts based on the session
host management policy and session
host configuration.
Use your own existing tools and
processes, such as automated
pipelines and custom scripts to
update the image and configuration
of your session hosts. You can't use
session host update.

Automatically Use Start VM on Connect to enable Use Start VM on Connect to enable

power on end users to turn on their session end users to turn on their session
session hosts hosts only when they need them. hosts only when they need them.

Next steps
Learn how to Deploy Azure Virtual Desktop with a session host configuration or
standard management.

Learn about Session host update.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Deploy Azure Virtual Desktop
Article • 10/22/2024

） Important

The following features are currently in preview:

Azure Virtual Desktop on Azure Local for Azure Government and for Azure
operated by 21Vianet (Azure in China).

Host pools with a session host configuration.

For legal terms that apply to Azure features that are in beta, in preview, or
otherwise not yet released into general availability, see Supplemental Terms of Use
for Microsoft Azure Previews .

This article shows you how to deploy Azure Virtual Desktop on Azure, Azure Local, or
Azure Extended Zones by using the Azure portal, the Azure CLI, or Azure PowerShell. To
deploy Azure Virtual Desktop, you:

Create a host pool.

Create a workspace.
Create an application group.
Create session host virtual machines (VMs).
Enable diagnostic settings (optional).
Assign users or groups to the application group for users to get access to desktops
and applications.

You can do all these tasks in a single process when using the Azure portal, but you can
also do them separately.

When you create a host pool, you can choose one of two management approaches:

Session host configuration (preview) is available for pooled host pools with session
hosts on Azure. Azure Virtual Desktop manages the lifecycle of session hosts in a
pooled host pool for you by using a combination of native features to provide an
integrated and dynamic experience.

Standard management is available for pooled and personal host pools with session
hosts on Azure or Azure Local. You manage creating, updating, and scaling session
hosts in a host pool. If you want to use existing tools and processes, such as
 automated pipelines, custom scripts, or external partner solutions, you need to use
the standard host pool management type.

For more information on the terminology used in this article, see Azure Virtual Desktop
terminology. For more information about the Azure Virtual Desktop service, see Azure
Virtual Desktop service architecture and resilience.

 Tip

The process covered in this article is an in-depth and adaptable approach to

deploying Azure Virtual Desktop. If you want to try Azure Virtual Desktop with a
more simple approach to deploy a sample Windows 11 desktop, see Tutorial:
Deploy a sample Azure Virtual Desktop infrastructure with a Windows 11 desktop
or use the quickstart.

Select a button at the top of this article to choose between host pools using
standard management or host pools using session host configuration to see the
relevant documentation.

Prerequisites
For a general idea of what's required and supported, such as operating systems (OSs),
virtual networks, and identity providers, review Prerequisites for Azure Virtual Desktop.
That article also includes a list of the supported Azure regions in which you can deploy
host pools, workspaces, and application groups. This list of regions is where the
metadata for the host pool can be stored. However, session hosts can be located in any
Azure region and on-premises with Azure Local. For more information about the types
of data and locations, see Data locations for Azure Virtual Desktop.

For more prerequisites, including role-based access control (RBAC) roles, select the
relevant tab for your scenario.

Azure portal

The Azure account that you use must have the following built-in RBAC roles or
equivalent as a minimum on a resource group or subscription to create the
following resource types. If you want to assign the roles to a resource group,
you need to create the resource group first.

ﾉ Expand table
 Resource type RBAC role

Host pool, workspace, and application group Desktop Virtualization Contributor

Session hosts (Azure and Azure Extended Zones) Virtual Machine Contributor

Session hosts (Azure Local) Azure Stack HCI VM Contributor

For ongoing management of host pools, workspaces, and application groups,

you can use more granular roles for each resource type. For more information,
see Built-in Azure RBAC roles for Azure Virtual Desktop.

To assign users to the application group, you also need

Microsoft.Authorization/roleAssignments/write permissions on the

application group. Built-in RBAC roles that include this permission are User
Access Administrator and Owner.

Don't disable Windows Remote Management when you're creating session

hosts by using the Azure portal, because PowerShell DSC requires it.

To add session hosts on Azure Local, you also need:

An Azure Local instance registered with Azure. Your Azure Local instances
need to be running a minimum of version 23H2. For more information, see
Azure Stack HCI, version 23H2 deployment overview. Azure Arc VM
management is installed automatically.

A stable connection to Azure from your on-premises network.

At least one Windows OS image available on the instance. For more

information, see how to create VM images by using Azure Marketplace
images, use images in an Azure Storage account, and use images in a local
share.

A logical network that you created on your Azure Local instance. DHCP
logical networks or static logical networks with automatic IP allocation are
supported. For more information, see Create logical networks for Azure
Local.

To deploy session hosts to Azure Extended Zones, you also need:

Your Azure subscription registered with the respective Azure Extended

Zone. For more information, see Request access to an Azure Extended
Zone.
 An Azure load balancer with an outbound rule on the virtual network to
which you're deploying session hosts. You can use an existing load balancer
or you create a new one when adding session hosts.

Create a host pool with standard management

To create a host pool, select the relevant tab for your scenario and follow the steps.

Azure portal

Here's how to create a host pool by using the Azure portal:

1. Sign in to the Azure portal .

2. On the search bar, enter Azure Virtual Desktop and select the matching
service entry.

3. Select Host pools, and then select Create.

4. On the Basics tab, complete the following information:

ﾉ Expand table

Parameter Value/Description

Subscription In the dropdown list, select the subscription where you want to
create the host pool.

Resource group Select an existing resource group, or select Create new and enter a
name.

Host pool name Enter a name for the host pool, such as hp01.

Location Select the Azure region where you want to create your host pool.

Validation Select Yes to create a host pool that's used as a validation

environment environment.

Select No (default) to create a host pool that isn't used as a

validation environment.

Preferred app Select the preferred application group type for this host pool:
group type Desktop or RemoteApp. A desktop application group is created
automatically when you use the Azure portal.
 Parameter Value/Description

Host pool type Select whether you want your host pool to be Personal or Pooled.

If you select Personal, a new option appears for Assignment type.

Select either Automatic or Direct.

If you select Pooled, two new options appear for Load balancing
algorithm and Max session limit.

- For Load balancing algorithm, choose either breadth-first or

depth-first, based on your usage pattern.

- For Max session limit, enter the maximum number of users that
you want load-balanced to a single session host. For more
information, see Host pool load-balancing algorithms.

 Tip

After you complete this tab, you can continue to optionally create session
hosts, create a workspace, register the default desktop application group
from this host pool, and enable diagnostic settings by selecting Next:
Virtual Machines. Alternatively, if you want to create and configure these
resources separately, select Next: Review + create and go to step 9.

5. Optional: On the Virtual machines tab, if you want to add session hosts,
expand one of the following sections and complete the information,
depending on whether you want to create session hosts on Azure or on Azure
Local. For guidance on sizing session host virtual machines, see Session host
virtual machine sizing guidelines.

To add session hosts on Azure, expand this section.

ﾉ Expand table

Parameter Value/Description

Add virtual Select Yes. This action shows several new options.
machines

Resource group This value defaults to the resource group that you chose to
contain your host pool on the Basics tab, but you can select an
alternative.
Parameter Value/Description

Name prefix Enter a name prefix for your session hosts, such as hp01-sh.

Each session host has a suffix of a hyphen and then a sequential

number added to the end, such as hp01-sh-0.

This name prefix can be a maximum of 11 characters and is used

in the computer name in the operating system. The prefix and
the suffix combined can be a maximum of 15 characters.
Session host names must be unique.

Virtual machine Select Azure virtual machine.

type

Virtual machine Select the Azure region where you want to deploy your session
location hosts. This value must be the same region that contains your
virtual network.

Availability options Select from availability zones, availability set, or No

infrastructure redundancy required. If you select availability
zones or availability set, complete the extra parameters that
appear.

Security type Select from Standard, Trusted launch virtual machines, or

Confidential virtual machines.

- If you select Trusted launch virtual machines, options for

secure boot and vTPM are automatically selected.

- If you select Confidential virtual machines, options for secure

boot, vTPM, and integrity monitoring are automatically
selected. You can't opt out of vTPM when using a confidential
VM.

Image Select the OS image that you want to use from the list, or select
See all images to see more. The full list includes any images
that you created and stored as an Azure Compute Gallery
shared image or a managed image.

Virtual machine Select a size. If you want to use a different size, select Change
size size, and then select from the list.

Hibernate Select the box to enable hibernation. Hibernation is available

only for personal host pools. For more information, see
Hibernation in virtual machines. If you're using Microsoft Teams
media optimizations, you should update the WebRTC redirector
service to 1.45.2310.13001.

FSLogix and app attach currently don't support hibernation.

Parameter Value/Description

Don't enable hibernation if you're using FSLogix or app attach

for your personal host pools.

Number of VMs Enter the number of virtual machines that you want to deploy.
You can deploy up to 400 session hosts at this point if you want
(depending on your subscription quota), or you can add more
later.

For more information, see Azure Virtual Desktop service limits

and Virtual Machines limits.

OS disk type Select the disk type to use for your session hosts. We
recommend that you use only Premium SSD for production
workloads.

OS disk size Select a size for the OS disk.

If you enable hibernation, ensure that the OS disk is large

enough to store the contents of the memory in addition to the
OS and other applications.

Confidential If you're using a confidential VM, you must select the

computing Confidential compute encryption checkbox to enable OS disk
encryption encryption.

This checkbox appears only if you selected Confidential virtual

machines as your security type.

Boot Diagnostics Select whether you want to enable boot diagnostics.

Network and
security

Virtual network Select your virtual network. An option to select a subnet

appears.

Subnet Select a subnet from your virtual network.

Network security Select whether you want to use a network security group (NSG).
group
- None doesn't create a new NSG.

- Basic creates a new NSG for the VM network adapter.

- Advanced enables you to select an existing NSG.

We recommend that you don't create an NSG here, but create

an NSG on the subnet instead.
Parameter Value/Description

Public inbound You can select a port to allow from the list. Azure Virtual
ports Desktop doesn't require public inbound ports, so we
recommend that you select No.

Domain to join

Select which Select from Microsoft Entra ID or Active Directory, and

directory you complete the relevant parameters for the selected option.
would like to join

Virtual Machine
Administrator
account

Username Enter a name to use as the local administrator account for the
new session hosts.

Password Enter a password for the local administrator account.

Confirm password Reenter the password.

Custom
configuration

Custom If you want to run a PowerShell script during deployment, you

configuration can enter the URL here.
script URL

To add session hosts on Azure Local, expand this section.

ﾉ Expand table

Parameter Value/Description

Add virtual Select Yes. This action shows several new options.
machines

Resource group This value defaults to the resource group that you chose to
contain your host pool on the Basics tab, but you can select an
alternative.

Name prefix Enter a name prefix for your session hosts, such as hp01-sh.

Each session host has a suffix of a hyphen and then a

sequential number added to the end, such as hp01-sh-0.

This name prefix can be a maximum of 11 characters and is

used in the computer name in the operating system. The prefix
Parameter Value/Description

and the suffix combined can be a maximum of 15 characters.

Session host names must be unique.

Virtual machine Select Azure Local.

type

Custom location In the dropdown list, select the Azure Local instance where you
want to deploy your session hosts.

Images Select the OS image that you want to use from the list, or
select Manage VM images to manage the images available on
the instance that you selected.

Number of VMs Enter the number of virtual machines that you want to deploy.
You can add more later.

Virtual processor Enter the number of virtual processors that you want to assign
count to each session host. This value isn't validated against the
resources available in the instance.

Memory type Select Static for a fixed memory allocation, or select Dynamic
for a dynamic memory allocation.

Memory (GB) Enter a number for the amount of memory, in gigabytes, that
you want to assign to each session host. This value isn't
validated against the resources available in the instance.

Maximum memory If you selected dynamic memory allocation, enter a number for
the maximum amount of memory, in gigabytes, that you want
your session host to be able to use.

Minimum memory If you selected dynamic memory allocation, enter a number for
the minimum amount of memory, in gigabytes, that you want
your session host to be able to use.

Network and
security

Network dropdown Select an existing network to connect each session to.

Domain to join

Select which Active Directory is the only available option. This includes
directory you would using Microsoft Entra hybrid join.
like to join

AD domain join Enter the user principal name (UPN) of an Active Directory user
UPN who has permission to join the session hosts to your domain.

Password Enter the password for the Active Directory user.

Parameter Value/Description

Specify domain or Select yes if you want to join session hosts to a specific domain
unit or be placed in a specific organizational unit (OU). If you select
no, the suffix of the UPN is used as the domain.

Virtual Machine
Administrator
account

Username Enter a name to use as the local administrator account for the
new session hosts.

Password Enter a password for the local administrator account.

Confirm password Reenter the password.

To add session hosts on Azure Extended Zones, expand this section.

ﾉ Expand table

Parameter Value/Description

Add virtual Select Yes. This action shows several new options.
machines

Resource This value defaults to the resource group that you chose to contain
group your host pool on the Basics tab, but you can select an alternative.

Name prefix Enter a name prefix for your session hosts, such as hp01-sh.

Each session host has a suffix of a hyphen and then a sequential

number added to the end, such as hp01-sh-0.

This name prefix can be a maximum of 11 characters and is used in

the computer name in the operating system. The prefix and the suffix
combined can be a maximum of 15 characters. Session host names
must be unique.

Virtual Select Azure virtual machine.

machine type

Virtual Select Deploy to an Azure Extended Zone.

machine
location

Azure Select the Extended Zone you require.

Extended
Zone
 Parameter Value/Description

Network and
security

Select a load Select an existing Azure load balancer on the same virtual network
balancer you want to use for your session hosts, or select Create a load
balancer to create a new load balancer.

Select a Select a backend pool on the load balancer you want to use for your
backend pool session hosts. If you're creating a new load balancer, select Create
new to create a new backend pool for the new load balancer.

Add If you're creating a new load balancer, select Create new to create a
outbound new outbound rule for it.
rule

After you complete this tab, select Next: Workspace.

6. Optional: On the Workspace tab, if you want to create a workspace and

register the default desktop application group from this host pool, complete
the following information:

ﾉ Expand table

Parameter Value/Description

Register desktop Select Yes. This action registers the default desktop application
app group group to the selected workspace.

To this workspace Select an existing workspace from the list, or select Create new
and enter a name, such as ws01.

After you complete this tab, select Next: Advanced.

7. Optional: On the Advanced tab, if you want to enable diagnostic settings,

complete the following information:

ﾉ Expand table

Parameter Value/Description

Enable diagnostics settings Select the box.

Choosing destination details to send logs Select one of the following

to destinations:

- Send to a Log Analytics workspace

 Parameter Value/Description

- Archive to a storage account

- Stream to an event hub

After you complete this tab, select Next: Tags.

8. Optional: On the Tags tab, you can enter any name/value pairs that you need,
and then select Next: Review + create.

9. On the Review + create tab, ensure that validation passes and review the
information that will be used during deployment.

10. Select Create to create the host pool.

11. Select Go to resource to go to the overview of your new host pool, and then
select Properties to view its properties.

Post-deployment tasks
If you also added session hosts to your host pool, you need to do some extra
configuration, as described in the following sections.

Licensing

To ensure that your session hosts have licenses applied correctly, you need to do
the following tasks:

If you have the correct licenses to run Azure Virtual Desktop workloads, you
can apply a Windows or Windows Server license to your session hosts as part
of Azure Virtual Desktop and run them without paying for a separate license.
This license is automatically applied when you create session hosts by using
the Azure Virtual Desktop service, but you might have to apply the license
separately if you create session hosts outside Azure Virtual Desktop. For more
information, see Apply a Windows license to session host virtual machines.

If your session hosts are running a Windows Server OS, you also need to issue
them a Remote Desktop Services (RDS) client access license (CAL) from an RDS
license server. For more information, see License your RDS deployment with
client access licenses.
 For session hosts on Azure Local, you must license and activate the virtual
machines before you use them with Azure Virtual Desktop. For activating VMs
that use Windows 10 Enterprise multi-session, Windows 11 Enterprise multi-
session, and Windows Server 2022 Datacenter: Azure Edition, use Azure
verification for VMs. For all other OS images (such as Windows 10 Enterprise,
Windows 11 Enterprise, and other editions of Windows Server), you should
continue to use existing activation methods. For more information, see
Activate Windows Server VMs on Azure Local.

Microsoft Entra joined session hosts

For session hosts on Azure that are joined to Microsoft Entra ID, you also need to
enable single sign-on or earlier authentication protocols, assign an RBAC role to
users, and review your multifactor authentication policies so that users can sign in
to the VMs. For more information, see Microsoft Entra joined session hosts.

７ Note

If you created a host pool and a workspace, and you registered the
default desktop application group from this host pool in the same
process, go to the section Assign users to an application group and
complete the rest of the article. A desktop application group (whichever
application group type you set as preferred) is created automatically
when you use the Azure portal.

If you created a host pool and workspace in the same process, but you
didn't register the default desktop application group from this host pool,
go to the section Create an application group and complete the rest of
the article.

If you didn't create a workspace, continue to the next section and

complete the rest of the article.

Create a workspace
Next, to create a workspace, select the relevant tab for your scenario and follow the
steps.
Azure portal

Here's how to create a workspace by using the Azure portal:

1. On the Azure Virtual Desktop overview, select Workspaces, and then select
Create.

2. On the Basics tab, complete the following information:

ﾉ Expand table

Parameter Value/Description

Subscription In the dropdown list, select the subscription where you want to
create the workspace.

Resource group Select an existing resource group, or select Create new and enter a
name.

Workspace Enter a name for the workspace, such as workspace01.

name

Friendly name Optional: Enter a display name for the workspace.

Description Optional: Enter a description for the workspace.

Location Select the Azure region where you want to deploy your workspace.

 Tip

After you complete this tab, you can continue to optionally register an
existing application group to this workspace, if you have one, and enable
diagnostic settings by selecting Next: Application groups. Alternatively, if
you want to create and configure these resources separately, select
Review + create and go to step 9.

3. Optional: On the Application groups tab, if you want to register an existing

application group to this workspace, complete the following information:

ﾉ Expand table

Parameter Value/Description

Register Select Yes, and then select + Register application groups. On the
application new pane that opens, select the Add icon for the application
 Parameter Value/Description

groups groups that you want to add, and then choose Select.

After you complete this tab, select Next: Advanced.

4. Optional: On the Advanced tab, if you want to enable diagnostic settings,

complete the following information:

ﾉ Expand table

Parameter Value/Description

Enable diagnostics settings Select the box.

Choosing destination details to send logs Select one of the following

to destinations:

- Send to a Log Analytics workspace

- Archive to a storage account

- Stream to an event hub

After you complete this tab, select Next: Tags.

5. Optional: On the Tags tab, you can enter any name/value pairs that you need,
and then select Next: Review + create.

6. On the Review + create tab, ensure that validation passes and review the
information that will be used during deployment.

7. Select Create to create the workspace.

8. Select Go to resource to go to the overview of your new workspace, and then

select Properties to view its properties.

７ Note

If you added an application group to this workspace, go to the section

Assign users to an application group and complete the rest of the
article.
 If you didn't add an application group to this workspace, continue to the
next section and complete the rest of the article.

Create an application group

To create an application group, select the relevant tab for your scenario and follow the
steps.

Azure portal

Here's how to create an application group by using the Azure portal:

1. On the Azure Virtual Desktop overview, select Application groups, and then
select Create.

2. On the Basics tab, complete the following information:

ﾉ Expand table

Parameter Value/Description

Subscription In the dropdown list, select the subscription where you want to
create the application group.

Resource group Select an existing resource group, or select Create new and
enter a name.

Host pool Select the host pool for the application group.

Location Metadata is stored in the same location as the host pool.

Application group Select the application group type for the host pool: Desktop or
type RemoteApp.

Application group Enter a name for the application group, such as Session
name Desktop.

 Tip

After you complete this tab, select Next: Review + create. You don't need
to complete the other tabs to create an application group, but you need
to create a workspace, add an application group to a workspace, and
 assign users to the application group before users can access the
resources.

If you created an application group for RemoteApp, you also need to add
applications to it. For more information, see Publish applications.

3. Optional: If you chose to create a RemoteApp application group, you can add
applications to this group. On the Application groups tab, select + Add
applications, and then select an application. For more information on the
application parameters, see Publish applications with RemoteApp. At least one
session host in the host pool must be turned on and available in Azure Virtual
Desktop.

After you complete this tab, or if you're creating a desktop application group,
select Next: Assignments.

4. Optional: On the Assignments tab, if you want to assign users or groups to

this application group, select + Add Microsoft Entra users or user groups. On
the new pane that opens, select the box next to the users or groups that you
want to add, and then choose Select.

After you complete this tab, select Next: Workspace.

5. Optional: On the Workspace tab, if you're creating a desktop application

group, you can register the default desktop application group from the host
pool that you selected by completing the following information:

ﾉ Expand table

Parameter Value/Description

Register application Select Yes. This action registers the default desktop application
group group to the selected workspace.

Register application Select an existing workspace from the list.

group

After you complete this tab, select Next: Advanced.

6. Optional: If you want to enable diagnostic settings, on the Advanced tab,

complete the following information:

ﾉ Expand table
 Parameter Value/Description

Enable diagnostics settings Select the box.

Choosing destination details to send logs Select one of the following

to destinations:

- Send to a Log Analytics workspace

- Archive to a storage account

- Stream to an event hub

After you complete this tab, select Next: Tags.

7. Optional: On the Tags tab, you can enter any name/value pairs that you need,
and then select Next: Review + create.

8. On the Review + create tab, ensure that validation passes and review the
information that will be used during deployment.

9. Select Create to create the application group.

10. Select Go to resource to go to the overview of your new application group,

and then select Properties to view its properties.

７ Note

If you created a desktop application group, assigned users or groups, and

registered the default desktop application group to a workspace, your
assigned users can connect to the desktop and you don't need to
complete the rest of the article.

If you created a RemoteApp application group, added applications, and

assigned users or groups, go to the section Add an application group to
a workspace and complete the rest of the article.

If you didn't add applications, assign users or groups, or register the

application group to a workspace, continue to the next section and
complete the rest of the article.

Add an application group to a workspace

Next, to add an application group to a workspace, select the relevant tab for your
scenario and follow the steps.

Azure portal

Here's how to add an application group to a workspace by using the Azure portal:

1. On the Azure Virtual Desktop overview, select Workspaces, and then select
the name of the workspace to which you want to assign an application group.

2. On the workspace overview, select Application groups, and then select + Add.

3. In the list, select the plus icon (+) next to an application group. Only
application groups that aren't already assigned to a workspace are listed.

4. Choose Select. The application group is added to the workspace.

Assign users to an application group

Finally, to assign users or user groups to an application group, select the relevant tab for
your scenario and follow the steps. We recommend that you assign user groups to
application groups to make ongoing management simpler.

The account you use needs permission to assign roles in Azure RBAC on the application
group after it's created. The permission is
Microsoft.Authorization/roleAssignments/write , which is included in some built-in

roles, such as User Access Administrator and Owner.

Azure portal

Here's how to assign users or user groups to an application group by using the
Azure portal:

1. On the Azure Virtual Desktop overview, select Application groups.

2. Select the application group from the list.

3. On the application group overview, select Assignments.

4. Select + Add, and then search for and select the user account or user group
that you want to assign to this application group.
 5. Finish by choosing Select.

Related content
Azure portal

After you deploy Azure Virtual Desktop, your users can connect from several
platforms, including a web browser. For more information, see Remote Desktop
clients for Azure Virtual Desktop and Connect to Azure Virtual Desktop with the
Remote Desktop Web client.

Here are some extra tasks that you might want to do:

Configure profile management for Azure Virtual Desktop by using FSLogix

profile containers
Add session hosts to a host pool
Enable diagnostic settings

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Use the quickstart to create a sample
infrastructure
Article • 05/07/2024

You can quickly deploy Azure Virtual Desktop with the quickstart in the Azure portal.
This can be used in smaller scenarios with a few users and apps, or you can use it to
evaluate Azure Virtual Desktop in larger enterprise scenarios. It works with existing
Active Directory Domain Services (AD DS) or Microsoft Entra Domain Services
deployments, or it can deploy Microsoft Entra Domain Services for you. Once you've
finished, a user will be able to sign in to a full virtual desktop session, consisting of one
host pool (with one or more session hosts), one application group, and one user. To
learn about the terminology used in Azure Virtual Desktop, see Azure Virtual Desktop
terminology.

Joining session hosts to Microsoft Entra ID with the quickstart is not supported. If you
want to join session hosts to Microsoft Entra ID, follow the tutorial to create a host pool.

 Tip

Enterprises should plan an Azure Virtual Desktop deployment using information

from Enterprise-scale support for Microsoft Azure Virtual Desktop. You can also
find more a granular deployment process in a series of tutorials, which also cover
programmatic methods and less permission.

You can see the list of resources that will be deployed further down in this article.

Prerequisites
Please review the Prerequisites for Azure Virtual Desktop to start for a general idea of
what's required, however there are some differences when using the quickstart that
you'll need to meet. Select a tab below to show instructions that are most relevant to
your scenario.

 Tip

If you don't already have other Azure resources, we recommend you select the
New Microsoft Entra Domain Services tab. This scenario will deploy everything you
need to be ready to connect to a full virtual desktop session. If you already have AD
 DS or Microsoft Entra Domain Services, select the relevant tab for your scenario
instead.

New Microsoft Entra Domain Services

At a high level, you'll need:

An Azure account with an active subscription

An account with the global administrator Microsoft Entra role assigned on the
Azure tenant and the owner role assigned on subscription you're going to use.
No existing Microsoft Entra Domain Services domain deployed in your Azure
tenant.
User names you choose must not include any keywords that the username
guideline list doesn't allow, and you must use a unique user name that's not
already in your Microsoft Entra subscription.
The user name for AD Domain join UPN should be a unique one that doesn't
already exist in Microsoft Entra ID. The quickstart doesn't support using
existing Microsoft Entra user names when also deploying Microsoft Entra
Domain Services.

） Important

The quickstart doesn't currently support accounts that use multi-factor

authentication. It also does not support personal Microsoft accounts (MSA) or
Microsoft Entra B2B collaboration users (either member or guest accounts).

Deployment steps
New Microsoft Entra Domain Services

Here's how to deploy Azure Virtual Desktop and a new Microsoft Entra Domain
Services domain using the quickstart:

1. Sign in to the Azure portal .

2. In the search bar, type Azure Virtual Desktop and select the matching service
entry.
3. Select Quickstart to open the landing page for the quickstart, then select
Start.

4. On the Basics tab, complete the following information, then select Next:
Virtual Machines >:

ﾉ Expand table

Parameter Value/Description

Subscription The subscription you want to use from the drop-down list.

Identity No identity provider.

provider

Identity service Microsoft Entra Domain Services.

type

Resource Enter a name. This will be used as the prefix for the resource groups
group that are deployed.

Location The Azure region where your Azure Virtual Desktop resources will be
deployed.

Azure admin The user principal name (UPN) of the account with the global
user name administrator Microsoft Entra role assigned on the Azure tenant and
the owner role on the subscription that you selected.

Make sure this account meets the requirements noted in the

prerequisites.

Azure admin The password for the Azure admin account.

password

Domain admin The user principal name (UPN) for a new Microsoft Entra account
user name that will be added to a new AAD DC Administrators group and used
to manage your Microsoft Entra Domain Services domain. The UPN
suffix will be used as the Microsoft Entra Domain Services domain
name.

Make sure this user name meets the requirements noted in the
prerequisites.

Domain admin The password for the domain admin account.

password

5. On the Virtual machines tab, complete the following information, then select
Next: Assignments >:
 ﾉ Expand table

Parameter Value/Description

Users per Select Multiple users or One user at a time depending on whether
virtual you want users to share a session host or assign a session host to an
machine individual user. Learn more about host pool types. Selecting Multiple
users will also create an Azure Files storage account joined to the
same Microsoft Entra Domain Services domain.

Image type Select Gallery to choose from a predefined list, or storage blob to
enter a URI to the image.

Image If you chose Gallery for image type, select the operating system
image you want to use from the drop-down list. You can also select
See all images to choose an image from the Azure Compute Gallery.

If you chose Storage blob for image type, enter the URI of the image.

Virtual The Azure virtual machine size used for your session host(s)
machine size

Name prefix The name prefix for your session host(s). Each session host will have a
hyphen and then a number added to the end, for example avd-sh-1.
This name prefix can be a maximum of 11 characters and will also be
used as the device name in the operating system.

Number of The number of session hosts you want to deploy at this time. You can
virtual add more later.
machines

Link Azure Tick the box if you want to link a separate ARM template for custom
template configuration on your session host(s) during deployment. You can
specify inline deployment script, desired state configuration, and
custom script extension. Provisioning other Azure resources in the
template isn't supported.

Untick the box if you don't want to link a separate ARM template
during deployment.

ARM template The URL of the ARM template file you want to use. This could be
file URL stored in a storage account.

ARM template The URL of the ARM template parameter file you want to use. This
parameter file could be stored in a storage account.
URL

6. On the Assignments tab, complete the following information, then select

Next: Review + create >:
 ﾉ Expand table

Parameter Value/Description

Create test Tick the box if you want a new user account created during deployment
user for testing purposes.
account

Test user The user principal name (UPN) of the test account you want to be
name created, for example [email protected] . This user will be created in
your new Microsoft Entra tenant, synchronized to Microsoft Entra
Domain Services, and made a member of the AVDValidationUsers
security group that is also created during deployment. It must contain a
valid UPN suffix for your domain that is also added as a verified custom
domain name in Microsoft Entra ID.

Make sure this user name meets the requirements noted in the
prerequisites.

Test The password to be used for the test account.

password

Confirm Confirmation of the password to be used for the test account.

password

7. On the Review + create tab, ensure validation passes and review the
information that will be used during deployment.

8. Select Create.

Connect to the desktop

Once the deployment has completed successfully, if you created a test account or
assigned an existing user during deployment, you can connect to it following the steps
for one of the supported Remote Desktop clients. For example, you can follow the steps
to Connect with the Windows Desktop client.

If you didn't create a test account or assigned an existing user during deployment, you'll
need to add users to the AVDValidationUsers security group before you can connect.

Resources that will be deployed

New Microsoft Entra Domain Services
 ﾉ Expand table

Resource Name Resource Notes

type group
name

Resource your prefix-avd N/A This is a predefined

group name.

Resource your prefix-deployment N/A This is a predefined

group name.

Resource your prefix-prerequisite N/A This is a predefined

group name.

Microsoft your domain name your prefix- Deployed with the

Entra prerequisite Enterprise SKU .
Domain You can change
Services the SKU after
deployment.

Automation ebautomationrandom string your prefix- This is a predefined

Account deployment name.

Automation inputValidationRunbook(Automation Account your prefix- This is a predefined

Account name) deployment name.
runbook

Automation prerequisiteSetupCompletionRunbook(Automation your prefix- This is a predefined

Account Account name) deployment name.
runbook

Automation resourceSetupRunbook(Automation Account your prefix- This is a predefined

Account name) deployment name.
runbook

Automation roleAssignmentRunbook(Automation Account your prefix- This is a predefined

Account name) deployment name.
runbook

Managed easy-button-fslogix-identity your prefix- Only created if

Identity avd Multiple users is
selected for Users
per virtual
machine. This is a
predefined name.

Host pool EB-AVD-HP your prefix- This is a predefined

avd name.
Resource Name Resource Notes
type group
name

Application EB-AVD-HP-DAG your prefix- This is a predefined

group avd name.

Workspace EB-AVD-WS your prefix- This is a predefined

avd name.

Storage ebrandom string your prefix- This is a predefined

account avd name.

Virtual your prefix-number your prefix- This is a predefined

machine avd name.

Virtual avdVnet your prefix- The address space

network prerequisite used is 10.0.0.0/16.
The address space
and name are
predefined.

Network virtual machine name-nic your prefix- This is a predefined

interface avd name.

Network aadds-random string-nic your prefix- This is a predefined

interface prerequisite name.

Network aadds-random string-nic your prefix- This is a predefined

interface prerequisite name.

Disk virtual machine name_OsDisk_1_random string your prefix- This is a predefined

avd name.

Load aadds-random string-lb your prefix- This is a predefined

balancer prerequisite name.

Public IP aadds-random string-pip your prefix- This is a predefined

address prerequisite name.

Network avdVnet-nsg your prefix- This is a predefined

security prerequisite name.
group

Group AVDValidationUsers N/A Created in your

new Microsoft
Entra tenant and
synchronized to
Microsoft Entra
Domain Services. It
contains a new test
user (if created)
 Resource Name Resource Notes
type group
name

and users you

selected. This is a
predefined name.

User your test user N/A If you select to

create a test user, it
will be created in
your new Microsoft
Entra tenant,
synchronized to
Microsoft Entra
Domain Services,
and made a
member of the
AVDValidationUsers
security group.

Clean up resources
If you want to remove Azure Virtual Desktop resources from your environment, you can
safely remove them by deleting the resource groups that were deployed. These are:

your-prefix-deployment
your-prefix-avd
your-prefix-prerequisite (only if you deployed the quickstart with a new Microsoft
Entra Domain Services domain)

To delete the resource groups:

1. Sign in to the Azure portal .

2. In the search bar, type Resource groups and select the matching service entry.

3. Select the name of one of resource groups, then select Delete resource group.

4. Review the affected resources, then type the resource group name in the box, and
select Delete.

5. Repeat these steps for the remaining resource groups.

Next steps
If you want to publish apps as well as the full virtual desktop, see the tutorial to Manage
application groups with the Azure portal.

If you'd like to learn how to deploy Azure Virtual Desktop in a more in-depth way, with
less permission required, or programmatically, check out our series of tutorials, starting
with Create a host pool with the Azure portal.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Built-in Azure RBAC roles for Azure Virtual
Desktop
Article • 09/23/2024

Azure Virtual Desktop uses Azure role-based access control (RBAC) to control access to
resources. There are many built-in roles for use with Azure Virtual Desktop that are a collection
of permissions. You assign roles to users and admins and these roles give permission to carry
out certain tasks. To learn more about Azure RBAC, see What is Azure RBAC?.

The standard built-in roles for Azure are Owner, Contributor, and Reader. However, Azure Virtual
Desktop has more roles that let you separate management roles for host pools, application
groups, and workspaces. This separation lets you have more granular control over
administrative tasks. These roles are named in compliance with Azure's standard roles and least-
privilege methodology. Azure Virtual Desktop doesn't have a specific Owner role, but you can
use the general Owner role for the service objects.

The built-in roles for Azure Virtual Desktop and the permissions for each one are detailed in this
article. You can assign each role to the scope you need. Some Azure Desktop features have
specific requirements for the assigned scope, which you can find in the documentation for the
relevant feature. For more information, see Understand Azure role definitions and Understand
scope for Azure RBAC.

Desktop Virtualization Contributor

The Desktop Virtualization Contributor role allows managing all your Azure Virtual Desktop
resources. You also need the User Access Administrator role to assign application groups to user
accounts or user groups. This role doesn't grant users access to compute resources.

ﾉ Expand table

Action type Permissions

actions Microsoft.DesktopVirtualization/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/*
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Support/*

notActions None

dataActions None

notDataActions None
Desktop Virtualization Reader
The Desktop Virtualization Reader role allows viewing all your Azure Virtual Desktop resources,
but doesn't allow changes.

ID: 49a72310-ab8d-41df-bbb0-79b649203868

ﾉ Expand table

Action type Permissions

actions Microsoft.DesktopVirtualization/*/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/read
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/read
Microsoft.Support/*

notActions None

dataActions None

notDataActions None

Desktop Virtualization User

The Desktop Virtualization User role allows users to use an application on a session host from
an application group as a non-administrative user.

ID: 1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63

ﾉ Expand table

Action type Permissions

actions None

notActions None

dataActions Microsoft.DesktopVirtualization/applicationGroups/useApplications/action

notDataActions None

Desktop Virtualization Host Pool Contributor

The Desktop Virtualization Host Pool Contributor role allows managing all aspects of a host
pool. You also need the Virtual Machine Contributor role to create virtual machines and the
Desktop Virtualization Application Group Contributor and Desktop Virtualization Workspace
Contributor roles to deploy Azure Virtual Desktop using the portal, or you can use the Desktop
Virtualization Contributor role.

ID: e307426c-f9b6-4e81-87de-d99efb3c32bc

ﾉ Expand table

Action type Permissions

actions Microsoft.DesktopVirtualization/hostpools/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/*
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Support/*

notActions None

dataActions None

notDataActions None

Desktop Virtualization Host Pool Reader

The Desktop Virtualization Host Pool Reader role allows viewing all aspects of a host pool, but
doesn't allow changes.

ID: ceadfde2-b300-400a-ab7b-6143895aa822

ﾉ Expand table

Action type Permissions

actions Microsoft.DesktopVirtualization/hostpools/*/read
Microsoft.DesktopVirtualization/hostpools/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/read
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/read
Microsoft.Support/*

notActions None

dataActions None

notDataActions None
Desktop Virtualization Application Group
Contributor
The Desktop Virtualization Application Group Contributor role allows managing all aspects of an
application group. If you want to assign user accounts or user groups to application groups too,
you also need the User Access Administrator role.

ID: 86240b0e-9422-4c43-887b-b61143f32ba8

ﾉ Expand table

Action type Permissions

actions Microsoft.DesktopVirtualization/applicationgroups/*
Microsoft.DesktopVirtualization/hostpools/read
Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/*
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Support/*

notActions None

dataActions None

notDataActions None

Desktop Virtualization Application Group Reader

The Desktop Virtualization Application Group Reader role allows viewing all aspects of an
application group, but doesn't allow changes.

ID: aebf23d0-b568-4e86-b8f9-fe83a2c6ab55

ﾉ Expand table

Action type Permissions

actions Microsoft.DesktopVirtualization/applicationgroups/*/read
Microsoft.DesktopVirtualization/applicationgroups/read
Microsoft.DesktopVirtualization/hostpools/read
Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/read
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/read
 Action type Permissions

Microsoft.Support/*

notActions None

dataActions None

notDataActions None

Desktop Virtualization Workspace Contributor

The Desktop Virtualization Workspace Contributor role allows managing all aspects of
workspaces. To get information on applications added to a related application group, you also
need the Desktop Virtualization Application Group Reader role.

ID: 21efdde3-836f-432b-bf3d-3e8e734d4b2b

ﾉ Expand table

Action type Permissions

actions Microsoft.DesktopVirtualization/workspaces/*
Microsoft.DesktopVirtualization/applicationgroups/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/*
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Support/*

notActions None

dataActions None

notDataActions None

Desktop Virtualization Workspace Reader

The Desktop Virtualization Workspace Reader role allows users to viewing all aspects of a
workspace, but doesn't allow changes.

ID: 0fa44ee9-7a7d-466b-9bb2-2bf446b1204d

ﾉ Expand table

Action type Permissions

actions Microsoft.DesktopVirtualization/workspaces/read
 Action type Permissions

Microsoft.DesktopVirtualization/applicationgroups/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/read
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/read
Microsoft.Support/*

notActions None

dataActions None

notDataActions None

Desktop Virtualization User Session Operator

The Desktop Virtualization User Session Operator role allows sending messages, disconnecting
sessions, and using the logoff function to sign users out of a session host. However, this role
doesn't allow host pool or session host management like removing a session host, changing
drain mode, and so on. This role can see assignments, but can't modify members. We
recommend you assign this role to specific host pools. If you assign this role at a resource
group level, it provides read permission on all host pools under a resource group.

ID: ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6

ﾉ Expand table

Action type Permissions

actions Microsoft.DesktopVirtualization/hostpools/read
Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/*
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Support/*

notActions None

dataActions None

notDataActions None

Desktop Virtualization Session Host Operator

The Desktop Virtualization Session Host Operator role allows viewing and removing session
hosts, and changing drain mode. This role can't add session hosts using the Azure portal
because it doesn't have write permission for host pool objects. For adding session hosts outside
of the Azure portal, if the registration token is valid (generated and not expired), this role can
add session hosts to the host pool if the Virtual Machine Contributor role is also assigned.

ID: 2ad6aaab-ead9-4eaa-8ac5-da422f562408

ﾉ Expand table

Action type Permissions

actions Microsoft.DesktopVirtualization/hostpools/read
Microsoft.DesktopVirtualization/hostpools/sessionhosts/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/*
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Support/*

notActions None

dataActions None

notDataActions None

Desktop Virtualization Power On Contributor

The Desktop Virtualization Power On Contributor role is used to allow the Azure Virtual Desktop
Resource Provider to start virtual machines.

ID: 489581de-a3bd-480d-9518-53dea7416b33

ﾉ Expand table

Action type Permissions

actions Microsoft.Compute/virtualMachines/start/action
Microsoft.Compute/virtualMachines/read
Microsoft.Compute/virtualMachines/instanceView/read
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.AzureStackHCI/virtualMachineInstances/read
Microsoft.AzureStackHCI/virtualMachineInstances/start/action
Microsoft.AzureStackHCI/virtualMachineInstances/stop/action
Microsoft.AzureStackHCI/virtualMachineInstances/restart/action
Microsoft.HybridCompute/machines/read
 Action type Permissions

Microsoft.HybridCompute/operations/read
Microsoft.HybridCompute/locations/operationresults/read
Microsoft.HybridCompute/locations/operationstatus/read

notActions None

dataActions None

notDataActions None

Desktop Virtualization Power On Off Contributor

The Desktop Virtualization Power On Off Contributor role is used to allow the Azure Virtual
Desktop Resource Provider to start and stop virtual machines.

ID: 40c5ff49-9181-41f8-ae61-143b0e78555e

ﾉ Expand table

Action type Permissions

actions Microsoft.Compute/virtualMachines/start/action
Microsoft.Compute/virtualMachines/read
Microsoft.Compute/virtualMachines/instanceView/read
Microsoft.Compute/virtualMachines/deallocate/action
Microsoft.Compute/virtualMachines/restart/action
Microsoft.Compute/virtualMachines/powerOff/action
Microsoft.Insights/eventtypes/values/read
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.DesktopVirtualization/hostpools/read
Microsoft.DesktopVirtualization/hostpools/write
Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
Microsoft.DesktopVirtualization/hostpools/sessionhosts/write
Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/delete
Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/read
Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/sendMessage/action
Microsoft.AzureStackHCI/virtualMachineInstances/read
Microsoft.AzureStackHCI/virtualMachineInstances/start/action
Microsoft.AzureStackHCI/virtualMachineInstances/stop/action
Microsoft.AzureStackHCI/virtualMachineInstances/restart/action
Microsoft.HybridCompute/machines/read
Microsoft.HybridCompute/operations/read
Microsoft.HybridCompute/locations/operationresults/read
Microsoft.HybridCompute/locations/operationstatus/read
 Action type Permissions

notActions None

dataActions None

notDataActions None

Desktop Virtualization Virtual Machine

Contributor
The Desktop Virtualization Virtual Machine Contributor role is used to allow the Azure Virtual
Desktop Resource Provider to create, delete, update, start, and stop virtual machines.

ID: a959dbd1-f747-45e3-8ba6-dd80f235f97c

ﾉ Expand table

Action type Permissions

actions Microsoft.DesktopVirtualization/hostpools/read
Microsoft.DesktopVirtualization/hostpools/write
Microsoft.DesktopVirtualization/hostpools/retrieveRegistrationToken/action
Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
Microsoft.DesktopVirtualization/hostpools/sessionhosts/write
Microsoft.DesktopVirtualization/hostpools/sessionhosts/delete
Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/read
Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/disconnect/action
Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/sendMessage/action
Microsoft.DesktopVirtualization/hostpools/sessionHostConfigurations/read
Microsoft.Compute/availabilitySets/read
Microsoft.Compute/availabilitySets/write
Microsoft.Compute/availabilitySets/vmSizes/read
Microsoft.Compute/disks/read
Microsoft.Compute/disks/write
Microsoft.Compute/disks/delete
Microsoft.Compute/galleries/read
Microsoft.Compute/galleries/images/read
Microsoft.Compute/galleries/images/versions/read
Microsoft.Compute/images/read
Microsoft.Compute/locations/usages/read
Microsoft.Compute/locations/vmSizes/read
Microsoft.Compute/operations/read
Microsoft.Compute/skus/read
Microsoft.Compute/virtualMachines/read
Microsoft.Compute/virtualMachines/write
Microsoft.Compute/virtualMachines/delete
Microsoft.Compute/virtualMachines/start/action
Microsoft.Compute/virtualMachines/powerOff/action
Microsoft.Compute/virtualMachines/restart/action
 Action type Permissions

Microsoft.Compute/virtualMachines/deallocate/action
Microsoft.Compute/virtualMachines/runCommand/action
Microsoft.Compute/virtualMachines/extensions/read
Microsoft.Compute/virtualMachines/extensions/write
Microsoft.Compute/virtualMachines/extensions/delete
Microsoft.Compute/virtualMachines/runCommands/read
Microsoft.Compute/virtualMachines/runCommands/write
Microsoft.Compute/virtualMachines/vmSizes/read
Microsoft.Network/networkSecurityGroups/read
Microsoft.Network/networkInterfaces/write
Microsoft.Network/networkInterfaces/read
Microsoft.Network/networkInterfaces/join/action
Microsoft.Network/networkInterfaces/delete
Microsoft.Network/virtualNetworks/subnets/read
Microsoft.Network/virtualNetworks/subnets/join/action
Microsoft.Marketplace/offerTypes/publishers/offers/plans/agreements/read
Microsoft.KeyVault/vaults/deploy/action
Microsoft.Storage/storageAccounts/read
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read

notActions None

dataActions None

notDataActions None

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Assign Azure RBAC roles or Microsoft
Entra roles to the Azure Virtual Desktop
service principals
Article • 10/22/2024

Several Azure Virtual Desktop features require you to assign Azure role-based access
control (Azure RBAC) roles or Microsoft Entra roles to one of the Azure Virtual Desktop
service principals. Features that you need to assign a role to an Azure Virtual Desktop
service principal include:

App attach (when using Azure Files and your session hosts joined to Microsoft
Entra ID).
Autoscale.
Session host update
Start VM on Connect.

 Tip

You can find which role or roles you need to assign to which service principal in the
article for each feature. For a list of all the available Azure RBAC roles created
specifically for Azure Virtual Desktop, see Built-in Azure RBAC roles for Azure
Virtual Desktop. To learn more about Azure RBAC, see Azure RBAC documentation
or for Microsoft Entra roles, see Microsoft Entra roles documentation.

Depending on when you registered the Microsoft.DesktopVirtualization resource

provider, the service principal names begin with either Azure Virtual Desktop or
Windows Virtual Desktop. If you used both Azure Virtual Desktop Classic and an Azure
Virtual Desktop (Azure Resource Manager), you see apps with the same name. You can
make sure you're assigning roles to the correct service principal by checking its
application ID. The application ID for each service principal is in the following table:

ﾉ Expand table

Service principal Application ID

Azure Virtual Desktop 9cdead84-a844-4324-93f2-b2e6bb768d07

Windows Virtual Desktop

Azure Virtual Desktop Client a85cf173-4192-42f8-81fa-777a763e6e2c

Windows Virtual Desktop Client
 Service principal Application ID

Azure Virtual Desktop ARM Provider 50e95039-b200-4007-bc97-8d5790743a63

Windows Virtual Desktop ARM Provider

This article shows you how to assign Azure RBAC roles or Microsoft Entra roles to the
correct Azure Virtual Desktop service principals by using the Azure portal, Azure CLI, or
Azure PowerShell.

Prerequisites
Before you can assign a role to an Azure Virtual Desktop service principal, you need to
meet the following prerequisites:

To assign Azure RBAC roles, you must have the

Microsoft.Authorization/roleAssignments/write permission to an Azure

subscription in order to assign roles on that subscription. This permission is part of

the Owner or User Access Administrator built in roles.

To assign Microsoft Entra roles, you must have the Privileged Role Administrator or
Global Administrator role.

If you want to use Azure PowerShell or Azure CLI locally, see Use Azure CLI and
Azure PowerShell with Azure Virtual Desktop to make sure you have the
Az.DesktopVirtualization PowerShell module or desktopvirtualization Azure CLI
extension installed. Alternatively, use the Azure Cloud Shell.

Assign an Azure RBAC role to an Azure Virtual

Desktop service principal
To assign an Azure RBAC role to an Azure Virtual Desktop service principal, select the
relevant tab for your scenario and follow the steps. In these examples, the scope of the
role assignment is an Azure subscription, but you need to use the scope and the role
required by each feature.

Azure portal

Here's how to assign an Azure RBAC role to an Azure Virtual Desktop service
principal scoped to a subscription using the Azure portal.

1. Sign in to the Azure portal .

 2. In the search box, enter Microsoft Entra ID and select the matching service
entry.

3. On the Overview page, in the search box for Search your tenant, enter the
application ID for the service principal you want to assign from the earlier
table.

4. In the results, select the matching enterprise application for the service
principal you want to assign, starting either Azure Virtual Desktop or
Windows Virtual Desktop.

5. Under properties, make a note of the name and the object ID. The object ID
correlates to the application ID, and is unique to your tenant.

6. In the search box, enter Subscriptions and select the matching service entry.

7. Select the subscription you want to add the role assignment to.

8. Select Access control (IAM), then select + Add followed by Add role
assignment.

9. Select the role you want to assign to the Azure Virtual Desktop service
principal, then select Next.

10. Ensure Assign access to is set to Microsoft Entra user, group, or service
principal, then select Select members.

11. Enter the name of the enterprise application you made a note of earlier.

12. Select the matching entry from the results, then select Select. If you have two
entries with the same name, select them both for now.

13. Review the list of members in the table. If you have two entries, remove the
entry that doesn't match the object ID you made a note of earlier.

14. Select Next, then select Review + assign to complete the role assignment.

Assign a Microsoft Entra role to an Azure

Virtual Desktop service principal
To assign a Microsoft Entra role to an Azure Virtual Desktop service principal, select the
relevant tab for your scenario and follow the steps. In these examples, the scope of the
role assignment is an Azure subscription, but you need to use the scope and the role
required by each feature.

Here's how to assign a Microsoft Entra role to an Azure Virtual Desktop service principal
scoped to a tenant using the Azure portal.

1. Sign in to the Azure portal .

2. In the search box, enter Microsoft Entra ID and select the matching service entry.

3. Select Roles and administrators.

4. Search for and select the name of the role you want to assign. If you want to
assign a custom role, see Create a custom role to create it first.

5. Select Add assignments.

6. In the search box, enter the application ID for the service principal you want to
assign from the earlier table, for example 9cdead84-a844-4324-93f2-
b2e6bb768d07.

7. Check the box next to the matching entry, then select Add to complete the role
assignment.

Next steps
Learn more about the built-in Azure RBAC roles for Azure Virtual Desktop.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Configure single sign-on for Azure
Virtual Desktop using Microsoft Entra ID
Article • 09/17/2024

Single sign-on (SSO) for Azure Virtual Desktop using Microsoft Entra ID provides a
seamless sign-in experience for users connecting to session hosts. When you enable
single sign-on, users authenticate to Windows using a Microsoft Entra ID token. This
token enables the use of passwordless authentication and third-party identity providers
that federate with Microsoft Entra ID when connecting to a session host, making the
sign-in experience seamless.

Single sign-on using Microsoft Entra ID also provides a seamless experience for
Microsoft Entra ID-based resources within the session. For more information on using
passwordless authentication within a session, see In-session passwordless
authentication.

To enable single sign-on using Microsoft Entra ID authentication, there are five tasks you
must complete:

1. Enable Microsoft Entra authentication for Remote Desktop Protocol (RDP).

2. Hide the consent prompt dialog.

3. Create a Kerberos Server object, if Active Directory Domain Services is part of your
environment. More information on the criteria is included in its section.

4. Review your conditional access policies.

5. Configure your host pool to enable single sign-on.

Before enabling single sign-on

Before you enable single sign-on, review the following information for using it in your
environment.

Session lock behavior

When single sign-on using Microsoft Entra ID is enabled and the remote session is
locked, either by the user or by policy, you can choose whether the session is
disconnected or the remote lock screen is shown. The default behavior is to disconnect
the session when it locks.
When the session lock behavior is set to disconnect, a dialog is shown to let users know
they were disconnected. Users can choose the Reconnect option from the dialog when
they're ready to connect again. This behavior is done for security reasons and to ensure
full support of passwordless authentication. Disconnecting the session provides the
following benefits:

Consistent sign-in experience through Microsoft Entra ID when needed.

Single sign-on experience and reconnection without authentication prompt when

allowed by conditional access policies.

Supports passwordless authentication like passkeys and FIDO2 devices, contrary to

the remote lock screen.

Conditional access policies, including multifactor authentication and sign-in

frequency, are reevaluated when the user reconnects to their session.

Can require multifactor authentication to return to the session and prevent users
from unlocking with a simple username and password.

If you want to configure the session lock behavior to show the remote lock screen
instead of disconnecting the session, see Configure the session lock behavior.

Active Directory domain administrator accounts with

single sign-on
In environments with an Active Directory Domain Services (AD DS) and hybrid user
accounts, the default Password Replication Policy on read-only domain controllers denies
password replication for members of Domain Admins and Administrators security
groups. This policy prevents these administrator accounts from signing in to Microsoft
Entra hybrid joined hosts and might keep prompting them to enter their credentials. It
also prevents administrator accounts from accessing on-premises resources that use
Kerberos authentication from Microsoft Entra joined hosts. We don't recommend
connecting to a remote session using an account that is a domain administrator for
security reasons.

If you need to make changes to a session host as an administrator, sign in to the session
host using a non-administrator account, then use the Run as administrator option or the
runas tool from a command prompt to change to an administrator.

Prerequisites
Before you can enable single sign-on, you must meet the following prerequisites:
To configure your Microsoft Entra tenant, you must be assigned one of the
following Microsoft Entra built-in roles or equivalent:

Application Administrator

Cloud Application Administrator

Your session hosts must be running one of the following operating systems with
the relevant cumulative update installed:

Windows 11 Enterprise single or multi-session with the 2022-10 Cumulative

Updates for Windows 11 (KB5018418) or later installed.

Windows 10 Enterprise single or multi-session with the 2022-10 Cumulative

Updates for Windows 10 (KB5018410) or later installed.

Windows Server 2022 with the 2022-10 Cumulative Update for Microsoft server
operating system (KB5018421) or later installed.

Your session hosts must be Microsoft Entra joined or Microsoft Entra hybrid joined.
Session hosts joined to Microsoft Entra Domain Services or to Active Directory
Domain Services only aren't supported.

If your Microsoft Entra hybrid joined session hosts are in a different Active
Directory domain than your user accounts, there must be a two-way trust between
the two domains. Without the two-way trust, connections fall back to older
authentication protocols.

Install the Microsoft Graph PowerShell SDK version 2.9.0 or later on your local
device or in Azure Cloud Shell.

A supported Remote Desktop client to connect to a remote session. The following

clients are supported:

Windows Desktop client on local PCs running Windows 10 or later. There's no

requirement for the local PC to be joined to Microsoft Entra ID or an Active
Directory domain.

Web client.

macOS client, version 10.8.2 or later.

iOS client, version 10.5.1 or later.

Android client, version 10.0.16 or later.

Enable Microsoft Entra authentication for RDP
You must first allow Microsoft Entra authentication for Windows in your Microsoft Entra
tenant, which enables issuing RDP access tokens allowing users to sign in to your Azure
Virtual Desktop session hosts. You set the isRemoteDesktopProtocolEnabled property to
true on the service principal's remoteDesktopSecurityConfiguration object for the
following Microsoft Entra applications:

ﾉ Expand table

Application Name Application ID

Microsoft Remote Desktop a4a365df-50f1-4397-bc59-1a1564b8bb9c

Windows Cloud Login 270efc09-cd0d-444b-a71f-39af4910ec45

） Important

As part of an upcoming change, we're transitioning from Microsoft Remote

Desktop to Windows Cloud Login, beginning in 2024. Configuring both
applications now ensures you're ready for the change.

To configure the service principal, use the Microsoft Graph PowerShell SDK to create a
new remoteDesktopSecurityConfiguration object on the service principal and set the
property isRemoteDesktopProtocolEnabled to true . You can also use the Microsoft
Graph API with a tool such as Graph Explorer.

1. Open Azure Cloud Shell in the Azure portal with the PowerShell terminal type, or
run PowerShell on your local device.

If you're using Cloud Shell, make sure your Azure context is set to the
subscription that you want to use.

If you're using PowerShell locally, first sign in with Azure PowerShell, and then
make sure your Azure context is set to the subscription that you want to use.

2. Make sure you installed the Microsoft Graph PowerShell SDK from the
prerequisites, then import the Authentication and Applications Microsoft Graph
modules and connect to Microsoft Graph with the Application.Read.All and
Application-RemoteDesktopConfig.ReadWrite.All scopes by running the following

commands:

PowerShell
 Import-Module Microsoft.Graph.Authentication
Import-Module Microsoft.Graph.Applications

Connect-MgGraph -Scopes "Application.Read.All","Application-

RemoteDesktopConfig.ReadWrite.All"

3. Get the object ID for each service principal and store them in variables by running
the following commands:

PowerShell

$MSRDspId = (Get-MgServicePrincipal -Filter "AppId eq 'a4a365df-50f1-

4397-bc59-1a1564b8bb9c'").Id
$WCLspId = (Get-MgServicePrincipal -Filter "AppId eq '270efc09-cd0d-
444b-a71f-39af4910ec45'").Id

4. Set the property isRemoteDesktopProtocolEnabled to true by running the following

commands. There's no output from these commands.

PowerShell

If ((Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -
ServicePrincipalId $MSRDspId) -ne $true) {
Update-MgServicePrincipalRemoteDesktopSecurityConfiguration -
ServicePrincipalId $MSRDspId -IsRemoteDesktopProtocolEnabled
}

If ((Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -
ServicePrincipalId $WCLspId) -ne $true) {
Update-MgServicePrincipalRemoteDesktopSecurityConfiguration -
ServicePrincipalId $WCLspId -IsRemoteDesktopProtocolEnabled
}

5. Confirm the property isRemoteDesktopProtocolEnabled is set to true by running

the following commands:

PowerShell

Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -
ServicePrincipalId $MSRDspId
Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -
ServicePrincipalId $WCLspId

The output should be:

Output
 Id IsRemoteDesktopProtocolEnabled
-- ------------------------------
id True

Hide the consent prompt dialog

By default when single sign-on is enabled, users see a dialog to allow the Remote
Desktop connection when connecting to a new session host. Microsoft Entra remembers
up to 15 hosts for 30 days before prompting again. If users see this dialogue to allow
the Remote Desktop connection, they can select Yes to connect.

You can hide this dialog by configuring a list of trusted devices. To configure the list of
devices, create one or more groups in Microsoft Entra ID that contains your session
hosts, then add the group IDs to a property on the SSO service principals, Microsoft
Remote Desktop and Windows Cloud Login.

 Tip

We recommend you use a dynamic group and configure the dynamic membership
rules to include all your Azure Virtual Desktop session hosts. You can use the device
names in this group, but for a more secure option, you can set and use device
extension attributes using Microsoft Graph API. While dynamic groups normally
update within 5-10 minutes, large tenants can take up to 24 hours.

Dynamic groups requires the Microsoft Entra ID P1 license or Intune for Education
license. For more information, see Dynamic membership rules for groups.

To configure the service principal, use the Microsoft Graph PowerShell SDK to create a
new targetDeviceGroup object on the service principal with the dynamic group's object
ID and display name. You can also use the Microsoft Graph API with a tool such as
Graph Explorer.

1. Create a dynamic group in Microsoft Entra ID containing the session hosts for
which you want to hide the dialog. Make a note of the object ID of the group for
the next step.

2. In the same PowerShell session, create a targetDeviceGroup object by running the

following commands, replacing the <placeholders> with your own values:

PowerShell
 $tdg = New-Object -TypeName
Microsoft.Graph.PowerShell.Models.MicrosoftGraphTargetDeviceGroup
$tdg.Id = "<Group object ID>"
$tdg.DisplayName = "<Group display name>"

3. Add the group to the targetDeviceGroup object by running the following

commands:

PowerShell

New-
MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -
ServicePrincipalId $MSRDspId -BodyParameter $tdg
New-
MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -
ServicePrincipalId $WCLspId -BodyParameter $tdg

The output should be similar to the following example:

Output

Id DisplayName
-- -----------
12345678-abcd-1234-abcd-1234567890ab Contoso-session-hosts

Repeat steps 2 and 3 for each group you want to add to the targetDeviceGroup
object, up to a maximum of 10 groups.

4. If you later need to remove a device group from the targetDeviceGroup object, run
the following commands, replacing the <placeholders> with your own values:

PowerShell

Remove-
MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -
ServicePrincipalId $MSRDspId -TargetDeviceGroupId "<Group object ID>"
Remove-
MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -
ServicePrincipalId $WCLspId -TargetDeviceGroupId "<Group object ID>"

Create a Kerberos server object

If your session hosts meet the following criteria, you must create a Kerberos server
object. For more information, see Enable passwordless security key sign-in to on-
premises resources by using Microsoft Entra ID, specifically the section to Create a
Kerberos Server object:

Your session host is Microsoft Entra hybrid joined. You must have a Kerberos server
object to complete authentication to a domain controller.

Your session host is Microsoft Entra joined and your environment contains Active
Directory domain controllers. You must have a Kerberos server object for users to
access on-premises resources, such as SMB shares and Windows-integrated
authentication to websites.

） Important

If you enable single sign-on on Microsoft Entra hybrid joined session hosts without
creating a Kerberos server object, one of the following things can happen when you
try to connect to a remote session:

You receive an error message saying the specific session doesn't exist.
Single sign-on will be skipped and you see a standard authentication dialog
for the session host.

To resolve these issues, create the Kerberos server object, then connect again.

Review your conditional access policies

When single sign-on is enabled, a new Microsoft Entra ID app is introduced to
authenticate users to the session host. If you have conditional access policies that apply
when accessing Azure Virtual Desktop, review the recommendations on setting up
multifactor authentication to ensure users have the desired experience.

Configure your host pool to enable single sign-

on
To enable single sign-on on your host pool, you must configure the following RDP
property, which you can do using the Azure portal or PowerShell. You can find the steps
to do configure RDP properties in Customize Remote Desktop Protocol (RDP) properties
for a host pool.

In the Azure portal, set Microsoft Entra single sign-on to Connections will use
Microsoft Entra authentication to provide single sign-on.
 For PowerShell, set the enablerdsaadauth property to 1.

Next steps
Check out In-session passwordless authentication to learn how to enable
passwordless authentication.

Learn how to Configure the session lock behavior for Azure Virtual Desktop.

For more information about Microsoft Entra Kerberos, see Deep dive: How
Microsoft Entra Kerberos works .

If you encounter any issues, go to Troubleshoot connections to Microsoft Entra

joined VMs.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Configure single sign-on for Azure
Virtual Desktop using AD FS
Article • 03/10/2023

This article will walk you through the process of configuring Active Directory Federation
Service (AD FS) single sign-on (SSO) for Azure Virtual Desktop.

７ Note

Azure Virtual Desktop (Classic) doesn't support this feature.

Requirements
Before configuring AD FS single sign-on, you must have the following setup running in
your environment:

Session hosts running a supported version of Windows 10 or Windows 11.

You must deploy the Active Directory Certificate Services (CA) role. All servers
running the role must be domain-joined, have the latest Windows updates
installed, and be configured as enterprise certificate authorities.

You must deploy the Active Directory Federation Services (AD FS) role. All servers
running this role must be domain-joined, have the latest Windows updates
installed, and be running Windows Server 2016 or later. See our federation tutorial
to get started setting up this role.

We recommend setting up the Web Application Proxy role to secure your

environment's connection to the AD FS servers. All servers running this role must
have the latest Windows updates installed, and be running Windows Server 2016
or later. See this Web Application Proxy guide to get started setting up this role.

You must deploy Azure AD Connect to sync users to Azure AD. Azure AD Connect
must be configured in federation mode.

Set up your PowerShell environment for Azure Virtual Desktop on the AD FS server.

７ Note
 This solution is not supported with Azure AD Domain Services. You must use an
Active Directory Domain Services domain controller.

Supported clients
The following Azure Virtual Desktop clients support this feature:

Windows Desktop client

Web client

Configure the certificate authority to issue

certificates
You must properly create the following certificate templates so that AD FS can use SSO:

First, you'll need to create the Exchange Enrollment Agent (Offline Request)
certificate template. AD FS uses the Exchange Enrollment Agent certificate
template to request certificates on the user's behalf.
You'll also need to create the Smartcard Logon certificate template, which AD FS
will use to create the sign in certificate.

After you create these certificate templates, you'll need to enable the templates on the
certificate authority so AD FS can request them.

７ Note

This solution generates new short-term certificates every time a user signs in, which
can fill up the Certificate Authority database if you have many users. You can avoid
overloading your database by setting up a CA for non-persistent certificate
processing. If you do this, on the duplicated smartcard logon certificate template,
make sure you enable only Do not store certificates and requests in the CA
database. Don't enable Do not include revocation information in issued
certificates or the configuration won't work.

Create the enrollment agent certificate template

Depending on your environment, you may already have configured an enrollment agent
certificate template for other purposes like Windows Hello for Business, Logon
certificates or VPN certificates. If so, you will need to modify it to support SSO. If not,
you can create a new template.

To determine if you are already using an enrollment agent certificate template, run the
following PowerShell command on the AD FS server and see if a value is returned. If it's
empty, create a new enrollment agent certificate template. Otherwise, remember the
name and update the existing enrollment agent certificate template.

PowerShell

Import-Module adfs
(Get-AdfsCertificateAuthority).EnrollmentAgentCertificateTemplateName

To create a new enrollment agent certificate template:

1. On the certificate authority, run mmc.exe from the Start menu to launch the
Microsoft Management Console.

2. Select File... > Add/Remote Snap-in... > Certificate Templates > Add > > OK to
view the list of certificate templates.

3. Expand the Certificate Templates, right-click Exchange Enrollment Agent (Offline

Request) and select Duplicate Template.

4. Select the General tab, then enter "ADFS Enrollment Agent" into the Template
display name field. This will automatically set the template name to
"ADFSEnrollmentAgent".

5. Select the Security tab, then select Add....

6. Next, select Object Types..., then Service Accounts, and then OK.

7. Enter the service account name for AD FS and select OK.

In an isolated AD FS setup, the service account will be named "adfssvc$"

If you set up AD FS using Azure AD Connect, the service account will be
named "aadcsvc$"

8. After the service account is added and is visible in the Security tab, select it in the
Group or user names pane, select Allow for both "Enroll" and "Autoenroll" in the
Permissions for the AD FS service account pane, then select OK to save.
To update an existing enrollment agent certificate template:

1. On the certificate authority, run mmc.exe from the Start menu to launch the
Microsoft Management Console.
2. Select File... > Add/Remote Snap-in... > Certificate Templates > Add > > OK to
view the list of certificate templates.
3. Expand the Certificate Templates, double-click the template that corresponds to
the one configured on the AD FS server. On the General tab, the template name
 should match the name you found above.
4. Select the Security tab, then select Add....
5. Next, select Object Types..., then Service Accounts, and then OK.
6. Enter the service account name for AD FS and select OK.

In an isolated AD FS setup, the service account will be named "adfssvc$"

If you set up AD FS using Azure AD Connect, the service account will be
named "aadcsvc$"

7. After the service account is added and is visible in the Security tab, select it in the
Group or user names pane, select Allow for both "Enroll" and "Autoenroll" in the
Permissions for the AD FS service account pane, then select OK to save.

Create the Smartcard Logon certificate template

To create the Smartcard Logon certificate template:

1. On the certificate authority, run mmc.exe from the Start menu to launch the
Microsoft Management Console.

2. Select File... > Add/Remote Snap-in... > Certificate Templates > Add > OK to view
the list of certificate templates.

3. Expand the Certificate Templates, right-click Smartcard Logon and select

Duplicate Template.

4. Select the General tab, then enter "ADFS SSO" into the Template display name
field. This will automatically set the template name to "ADFSSSO".

７ Note

Since this certificate is requested on-demand, we recommend shortening the

validity period to 8 hours and the renewal period to 1 hour.

5. Select the Subject name tab and then select Supply in the request. When you see
a warning message, select OK.
 

6. Select the Issuance Requirements tab.

7. Select This number of authorized signatures and enter the value of 1.

8. For Application policy, select Certificate Request Agent.

9. Select the Security tab, then select Add....

10. Select Object Types..., Service Accounts, and OK.

11. Enter the service account name for AD FS just like you did in the Create the
enrollment agent certificate template section.

In an isolated AD FS setup, the service account will be named "adfssvc$"

 If you set up AD FS using Azure AD Connect, the service account will be
named "aadcsvc$"

12. After the service account is added and is visible in the Security tab, select it in the
Group or user names pane, select Allow for both "Enroll" and "Autoenroll", then
select OK to save.
Enable the new certificate templates:
To enable the new certificate templates:

1. On the certificate authority, run mmc.exe from the Start menu to launch the
Microsoft Management Console.

2. Select File... > Add/Remove Snap-in... > Certification Authority > Add > > Finish
> and OK to view the Certification Authority.

3. Expand the Certification Authority on the left-hand pane and open Certificate
Templates.

4. Right-click in the middle pane that shows the list of certificate templates, select
New, then select Certificate Template to Issue.

5. Select both ADFS Enrollment Agent and ADFS SSO, then select OK. You should
see both templates in the middle pane.

７ Note

If you already have an enrollment agent certificate template configured, you

only need to add the ADFS SSO template.
Configure the AD FS Servers
You must configure the Active Directory Federation Services (AD FS) servers to use the
new certificate templates and set the relying-party trust to support SSO.

The relying-party trust between your AD FS server and the Azure Virtual Desktop service
allows single sign-on certificate requests to be forwarded correctly to your domain
environment.

When configuring AD FS single sign-on you must choose shared key or certificate:

If you have a single AD FS server, you can choose shared key or certificate.
If you have multiple AD FS servers, it's required to choose certificate.

The shared key or certificate used to generate the token to sign in to Windows must be
stored securely in Azure Key Vault. You can store the secret in an existing Key Vault or
deploy a new one. In either case, you must ensure to set the right access policy so the
Azure Virtual Desktop service can access it.

When using a certificate, you can use any general purpose certificate and there is no
requirement on the subject name or Subject Alternative Name (SAN). While not
required, it's recommended to create a certificate issued by a valid Certificate Authority.
This certificate can be created directly in Azure Key Vault and needs to have an
exportable private key. The public key can be exported and used to configure the AD FS
server using the script below. Note that this certificate is different from the AD FS SSL
certificate that must have a proper subject name and valid Certificate Authority.

The PowerShell script ConfigureWVDSSO.ps1 available in the PowerShell Gallery will

configure your AD FS server for the relying-party trust and install the certificate if
needed.

This script only has one required parameter, ADFSAuthority, which is the URL that
resolves to your AD FS and uses "/adfs" as its suffix. For example,
https://adfs.contoso.com/adfs .

1. On the AD FS VMs, run the following PowerShell cmdlet to configure AD FS to use

the certificate templates from the previous section:

PowerShell

Set-AdfsCertificateAuthority -EnrollmentAgentCertificateTemplate
"ADFSEnrollmentAgent" -LogonCertificateTemplate "ADFSSSO" -
EnrollmentAgent
 ７ Note

If you already have an EnrollmentAgentCertificateTemplate configured, ensure

you use the existing template name instead of ADFSEnrollmentAgent.

2. Run the ConfigureWVDSSO.ps1 script.

７ Note

You need the $config variable values to complete the next part of the
instructions, so don't close the PowerShell window you used to complete the
previous instructions. You can either keep using the same PowerShell window
or leave it open while launching a new PowerShell session.

If you're using a shared key in the Key Vault, run the following PowerShell
cmdlet on the AD FS server with ADFSServiceUrl replaced with the full URL to
reach your AD FS service:

PowerShell

Install-Script ConfigureWVDSSO
$config = ConfigureWVDSSO.ps1 -ADFSAuthority "<ADFSServiceUrl>" [-
WvdWebAppAppIDUri "<WVD Web App URI>"] [-RdWebURL "<RDWeb URL>"]

７ Note

You need the WvdWebAppAppIDUri and RdWebURL properties to

configure an environment in a sovereign cloud like Azure Government.
In the Azure Commercial Cloud, these properties are automatically set to
https://www.wvd.microsoft.com and https://rdweb.wvd.microsoft.com

respectively.

If you're using a certificate in the Key Vault, run the following PowerShell
cmdlet on the AD FS server with ADFSServiceUrl replaced with the full URL to
reach your AD FS service:

PowerShell

Install-Script ConfigureWVDSSO
$config = ConfigureWVDSSO.ps1 -ADFSAuthority "<ADFSServiceUrl>" -
UseCert -CertPath "<Path to the pfx file>" -CertPassword <Password
 to the pfx file> [-WvdWebAppAppIDUri "<WVD Web App URI>"] [-
RdWebURL "<RDWeb URL>"]

７ Note

You need the WvdWebAppAppIDUri and RdWebURL properties to

configure an environment in a sovereign cloud like Azure Government.
In the Azure Commercial Cloud, these properties are automatically set to
https://www.wvd.microsoft.com and https://rdweb.wvd.microsoft.com

respectively.

3. Set the access policy on the Azure Key Vault by running the following PowerShell
cmdlet:

PowerShell

Set-AzKeyVaultAccessPolicy -VaultName "<Key Vault Name>" -

ServicePrincipalName 9cdead84-a844-4324-93f2-b2e6bb768d07 -
PermissionsToSecrets get -PermissionsToKeys sign

4. Store the shared key or certificate in Azure Key Vault with a Tag containing a coma
separated list of subscription IDs allowed to use the secret.

If you're using a shared key in the Key Vault, run the following PowerShell
cmdlet to store the shared key and set the tag:

PowerShell

$hp = Get-AzWvdHostPool -Name "<Host Pool Name>" -

ResourceGroupName "<Host Pool Resource Group Name>"
$secret = Set-AzKeyVaultSecret -VaultName "<Key Vault Name>" -Name
"adfsssosecret" -SecretValue (ConvertTo-SecureString -String
$config.SSOClientSecret -AsPlainText -Force) -Tag @{
'AllowedWVDSubscriptions' = $hp.Id.Split('/')[2]}

If your certificate is already in the Key Vault, run the following PowerShell
cmdlet to set the tag:

PowerShell

$hp = Get-AzWvdHostPool -Name "<Host Pool Name>" -

ResourceGroupName "<Host Pool Resource Group Name>"
$secret = Update-AzKeyVaultCertificate -VaultName "<Key Vault
Name>" -Name "<Certificate Name>" -Tag @{
'AllowedWVDSubscriptions' = $hp.Id.Split('/')[2]} -PassThru
 If you have a local certificate, run the following PowerShell cmdlet to import
the certificate in the Key Vault and set the tag:

PowerShell

$hp = Get-AzWvdHostPool -Name "<Host Pool Name>" -

ResourceGroupName "<Host Pool Resource Group Name>"
$secret = Import-AzKeyVaultCertificate -VaultName "<Key Vault
Name>" -Name "adfsssosecret" -Tag @{ 'AllowedWVDSubscriptions' =
$hp.Id.Split('/')[2]} -FilePath "<Path to pfx>" -Password
(ConvertTo-SecureString -String "<pfx password>" -AsPlainText -
Force)

７ Note

You can optionally configure how often users are prompted for credentials by
changing the AD FS single sign-on settings. By default, users will be prompted
every 8 hours on unregistered devices.

Configure your Azure Virtual Desktop host pool

It's time to configure the AD FS SSO parameters on your Azure Virtual Desktop host
pool. To do this, set up your PowerShell environment for Azure Virtual Desktop if you
haven't already and connect to your account.

After that, update the SSO information for your host pool by running one of the
following two cmdlets in the same PowerShell window on the AD FS VM:

If you're using a shared key in the Key Vault, run the following PowerShell cmdlet:

PowerShell

Update-AzWvdHostPool -Name "<Host Pool Name>" -ResourceGroupName "<Host

Pool Resource Group Name>" -SsoadfsAuthority "<ADFSServiceUrl>" -
SsoClientId "<WVD Web App URI>" -SsoSecretType SharedKeyInKeyVault -
SsoClientSecretKeyVaultPath $secret.Id

７ Note

You need to set the SsoClientId property to match the Azure cloud you're
deploying SSO in. In the Azure Commercial Cloud, this property should be set
 to https://www.wvd.microsoft.com . However, the required setting for this
property will be different for other clouds, like the Azure Government cloud.

If you're using a certificate in the Key Vault, run the following PowerShell cmdlet:

PowerShell

Update-AzWvdHostPool -Name "<Host Pool Name>" -ResourceGroupName "<Host

Pool Resource Group Name>" -SsoadfsAuthority "<ADFSServiceUrl>" -
SsoClientId "<WVD Web App URI>" -SsoSecretType CertificateInKeyVault -
SsoClientSecretKeyVaultPath $secret.Id

７ Note

You need to set the SsoClientId property to match the Azure cloud you're
deploying SSO in. In the Azure Commercial Cloud, this property should be set
to https://www.wvd.microsoft.com . However, the required setting for this
property will be different for other clouds, like the Azure Government cloud.

Configure additional host pools

When you need to configure additional host pools, you can retrieve the settings you
used to configure an existing host pool to setup the new one.

To retrieve the settings from your existing host pool, open a PowerShell window and run
this cmdlet:

PowerShell

Get-AzWvdHostPool -Name "<Host Pool Name>" -ResourceGroupName "<Host Pool

Resource Group Name>" | fl *

You can follow the steps to Configure your Azure Virtual Desktop host pool using the
same SsoClientId, SsoClientSecretKeyVaultPath, SsoSecretType, and SsoadfsAuthority
values.

Removing SSO
To disable SSO on the host pool, run the following cmdlet:

PowerShell
 Update-AzWvdHostPool -Name "<Host Pool Name>" -ResourceGroupName "<Host Pool
Resource Group Name>" -SsoadfsAuthority ''

If you also want to disable SSO on your AD FS server, run this cmdlet:

PowerShell

Install-Script UnConfigureWVDSSO
UnConfigureWVDSSO.ps1 -WvdWebAppAppIDUri "<WVD Web App URI>" -
WvdClientAppApplicationID "a85cf173-4192-42f8-81fa-777a763e6e2c"

７ Note

The WvdWebAppAppIDUri property needs to match the Azure cloud you are
deploying in. In the Azure Commercial Cloud, this property is
https://www.wvd.microsoft.com . It will be different for other clouds like the Azure

Government cloud.

Next steps
Now that you've configured single sign-on, you can sign in to a supported Azure Virtual
Desktop client to test it as part of a user session. If you want to learn how to connect to
a session using your new credentials, check out these articles:

Connect with the Windows Desktop client

Connect with the web client
Configure a Kerberos Key Distribution
Center proxy
Article • 01/11/2023

Security-conscious customers, such as financial or government organizations, often sign

in using Smartcards. Smartcards make deployments more secure by requiring
multifactor authentication (MFA). However, for the RDP portion of a Azure Virtual
Desktop session, Smartcards require a direct connection, or "line of sight," with an
Active Directory (AD) domain controller for Kerberos authentication. Without this direct
connection, users can't automatically sign in to the organization's network from remote
connections. Users in a Azure Virtual Desktop deployment can use the KDC proxy
service to proxy this authentication traffic and sign in remotely. The KDC proxy allows
for authentication for the Remote Desktop Protocol of a Azure Virtual Desktop session,
letting the user sign in securely. This makes working from home much easier, and allows
for certain disaster recovery scenarios to run more smoothly.

However, setting up the KDC proxy typically involves assigning the Windows Server
Gateway role in Windows Server 2016 or later. How do you use a Remote Desktop
Services role to sign in to Azure Virtual Desktop? To answer that, let's take a quick look
at the components.

There are two components to the Azure Virtual Desktop service that need to be
authenticated:

The feed in the Azure Virtual Desktop client that gives users a list of available
desktops or applications they have access to. This authentication process happens
in Azure Active Directory, which means this component isn't the focus of this
article.
The RDP session that results from a user selecting one of those available resources.
This component uses Kerberos authentication and requires a KDC proxy for remote
users.

This article will show you how to configure the feed in the Azure Virtual Desktop client
in the Azure portal. If you want to learn how to configure the RD Gateway role, see
Deploy the RD Gateway role.

Requirements
To configure a Azure Virtual Desktop session host with a KDC proxy, you'll need the
following things:
 Access to the Azure portal and an Azure administrator account.
The remote client machines must be running at least Windows 10 and have the
Windows Desktop client installed. The web client isn't currently supported.
You must have a KDC proxy already installed on your machine. To learn how to do
that, see Set up the RD Gateway role for Azure Virtual Desktop.
The machine's OS must be Windows Server 2016 or later.

Once you've made sure you meet these requirements, you're ready to get started.

How to configure the KDC proxy

To configure the KDC proxy:

1. Sign in to the Azure portal as an administrator.

2. Go to the Azure Virtual Desktop page.

3. Select the host pool you want to enable the KDC proxy for, then select RDP
Properties.

4. Select the Advanced tab, then enter a value in the following format without
spaces:

kdcproxyname:s:<fqdn>

5. Select Save.

6. The selected host pool should now begin to issue RDP connection files that include
the kdcproxyname value you entered in step 4.

Next steps
To learn how to manage the Remote Desktop Services side of the KDC proxy and assign
the RD Gateway role, see Deploy the RD Gateway role.

If you're interested in scaling your KDC proxy servers, learn how to set up high
availability for KDC proxy at Add high availability to the RD Web and Gateway web front.
Enforce Microsoft Entra multifactor
authentication for Azure Virtual
Desktop using Conditional Access
Article • 08/02/2024

） Important

If you're visiting this page from the Azure Virtual Desktop (classic) documentation,
make sure to return to the Azure Virtual Desktop (classic) documentation once
you're finished.

Users can sign into Azure Virtual Desktop from anywhere using different devices and
clients. However, there are certain measures you should take to help keep your
environment and your users safe. Using Microsoft Entra multifactor authentication (MFA)
with Azure Virtual Desktop prompts users during the sign-in process for another form of
identification in addition to their username and password. You can enforce MFA for
Azure Virtual Desktop using Conditional Access, and can also configure whether it
applies to the web client, mobile apps, desktop clients, or all clients.

When a user connects to a remote session, they need to authenticate to the Azure
Virtual Desktop service and the session host. If MFA is enabled, it's used when
connecting to the Azure Virtual Desktop service and the user is prompted for their user
account and a second form of authentication, in the same way as accessing other
services. When a user starts a remote session, a username and password is required for
the session host, but this is seamless to the user if single sign-on (SSO) is enabled. For
more information, see Authentication methods.

How often a user is prompted to reauthenticate depends on Microsoft Entra session

lifetime configuration settings. For example, if their Windows client device is registered
with Microsoft Entra ID, it receives a Primary Refresh Token (PRT) to use for single sign-
on (SSO) across applications. Once issued, a PRT is valid for 14 days and is continuously
renewed as long as the user actively uses the device.

While remembering credentials is convenient, it can also make deployments for

Enterprise scenarios using personal devices less secure. To protect your users, you can
make sure the client keeps asking for Microsoft Entra multifactor authentication
credentials more frequently. You can use Conditional Access to configure this behavior.
Learn how to enforce MFA for Azure Virtual Desktop and optionally configure sign-in
frequency in the following sections.

Prerequisites
Here's what you need to get started:

Assign users a license that includes Microsoft Entra ID P1 or P2.

A Microsoft Entra group with your Azure Virtual Desktop users assigned as group
members.
Enable Microsoft Entra multifactor authentication.

Create a Conditional Access policy

Here's how to create a Conditional Access policy that requires multifactor authentication
when connecting to Azure Virtual Desktop:

1. Sign in to the Microsoft Entra admin center as at least a Conditional Access

Administrator.

2. Browse to Protection > Conditional Access > Policies.

3. Select New policy.

4. Give your policy a name. We recommend that organizations create a meaningful

standard for the names of their policies.

5. Under Assignments > Users, select 0 users and groups selected.

6. Under the Include tab, select Select users and groups and check Users and
groups, then under Select, select 0 users and groups selected.

7. On the new pane that opens, search for and choose the group that contains your
Azure Virtual Desktop users as group members, then select Select.

8. Under Assignments > Target resources, select No target resources selected.

9. Under the Include tab, select Select apps, then under Select, select None.

10. On the new pane that opens, search for and select the necessary apps based on
the resources you're trying to protect. Select the relevant tab for your scenario.
When searching for an application name on Azure, use search terms that begin
with the application name in order instead of keywords the application name
contains out of order. For example, when you want to use Azure Virtual Desktop,
you need to enter 'Azure Virtual', in that order. If you enter 'virtual' by itself, the
search doesn't return the desired application.

Azure Virtual Desktop

For Azure Virtual Desktop (based on Azure Resource Manager), you can
configure MFA on these different apps:

Azure Virtual Desktop (app ID 9cdead84-a844-4324-93f2-

b2e6bb768d07), which applies when the user subscribes to Azure Virtual
Desktop, authenticates to the Azure Virtual Desktop Gateway during a
connection, and when diagnostics information is sent to the service from
the user's local device.

 Tip

The app name was previously Windows Virtual Desktop. If you

registered the Microsoft.DesktopVirtualization resource provider
before the display name changed, the application will be named
Windows Virtual Desktop with the same app ID as Azure Virtual
Desktop.

Microsoft Remote Desktop (app ID a4a365df-50f1-4397-bc59-

1a1564b8bb9c) and Windows Cloud Login (app ID 270efc09-cd0d-
444b-a71f-39af4910ec45). These apply when the user authenticates to
the session host when single sign-on is enabled. It's recommended to
match conditional access policies between these apps and the Azure
Virtual Desktop app, except for the sign-in frequency.

） Important

The clients used to access Azure Virtual Desktop use the Microsoft
Remote Desktop Entra ID app to authenticate to the session host
today. An upcoming change will transition the authentication to the
Windows Cloud Login Entra ID app. To ensure a smooth transition,
you need to add both Entra ID apps to your CA policies.

） Important

Don't select the app called Azure Virtual Desktop Azure Resource
Manager Provider (app ID 50e95039-b200-4007-bc97-8d5790743a63).
 This app is only used for retrieving the user feed and shouldn't have
multifactor authentication.

11. Once you selected your apps, select Select.

12. Under Assignments > Conditions, select 0 conditions select.

13. Under Client apps, select Not configured.

14. On the new pane that opens, for Configure, select Yes.

15. Select the client apps this policy applies to:

Select Browser if you want the policy to apply to the web client.
 Select Mobile apps and desktop clients if you want to apply the policy to
other clients.
Select both check boxes if you want to apply the policy to all clients.
Deselect values for legacy authentication clients.

16. Once you selected the client apps this policy applies to, select Done.

17. Under Access controls > Grant, select 0 controls selected.

18. On the new pane that opens, select Grant access.

19. Check Require multifactor authentication, and then select Select.

20. At the bottom of the page, set Enable policy to On and select Create.

７ Note

When you use the web client to sign in to Azure Virtual Desktop through your
browser, the log will list the client app ID as a85cf173-4192-42f8-81fa-
777a763e6e2c (Azure Virtual Desktop client). This is because the client app is
internally linked to the server app ID where the conditional access policy was set.

 Tip
 Some users may see a prompt titled Stay signed in to all your apps if the Windows
device they're using is not already registered with Microsoft Entra ID. If they
deselect Allow my organization to manage my device and select No, sign in to
this app only, they may be prompted for authentication more frequently.

Configure sign-in frequency

Sign-in frequency policies let you configure how often users are required to sign-in
when accessing Microsoft Entra-based resources. This can help secure your environment
and is especially important for personal devices, where the local OS may not require
MFA or may not lock automatically after inactivity. Users are prompted to authenticate
only when a new access token is requested from Microsoft Entra ID when accessing a
resource.

Sign-in frequency policies result in different behavior based on the Microsoft Entra app
selected:

ﾉ Expand table

App name App ID Behavior

Azure Virtual 9cdead84-a844- Enforces reauthentication when a user subscribes to Azure

Desktop 4324-93f2- Virtual Desktop, manually refreshes their list of resources
b2e6bb768d07 and authenticates to the Azure Virtual Desktop Gateway
during a connection.

Once the reauthentication period is over, background

feed refresh and diagnostics upload silently fails until a
user completes their next interactive sign in to Microsoft
Entra.

Microsoft a4a365df-50f1- Enforces reauthentication when a user signs in to a

Remote 4397-bc59- session host when single sign-on is enabled.
Desktop 1a1564b8bb9c
Both apps should be configured together as the Azure
Windows 270efc09-cd0d- Virtual Desktop clients will soon switch from using the
Cloud Login 444b-a71f- Microsoft Remote Desktop app to the Windows Cloud
39af4910ec45 Login app to authenticate to the session host.

To configure the time period after which a user is asked to sign-in again:

1. Open the policy you created previously.

2. Under Access controls > Session, select 0 controls selected.
3. In the Session pane, select Sign-in frequency.
 4. Select Periodic reauthentication or Every time.

If you select Periodic reauthentication, set the value for the time period after
which a user is asked to sign-in again when performing an action that
requires a new access token, and then select Select. For example, setting the
value to 1 and the unit to Hours, requires multifactor authentication if a
connection is launched more than an hour after the last user authentication.
The Every time option is currently available in preview and is only supported
when applied to the Microsoft Remote Desktop and Windows Cloud Login
apps when single sign-on is enabled for your host pool. If you select Every
time, users are prompted to reauthenticate when launching a new
connection after a period of 5 to 10 minutes since their last authentication.

5. At the bottom of the page, select Save.

７ Note

Reauthentication only happens when a user must authenticate to a resource

and a new access token is needed. After a connection is established, users
aren't prompted even if the connection lasts longer than the sign-in
frequency you've configured.
Users must reauthenticate if there is a network disruption that forces the
session to be re-established after the sign-in frequency you've configured.
This can lead to more frequent authentication requests on unstable networks.

Microsoft Entra joined session host VMs

For connections to succeed, you must disable the legacy per-user multifactor
authentication sign-in method. If you don't want to restrict signing in to strong
authentication methods like Windows Hello for Business, you need to exclude the Azure
Windows VM Sign-In app from your Conditional Access policy.

Next steps
Learn more about Conditional Access policies
Learn more about user sign in frequency

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Delegated access in Azure Virtual
Desktop
Article • 10/12/2023

） Important

This content applies to Azure Virtual Desktop with Azure Resource Manager Azure
Virtual Desktop objects. If you're using Azure Virtual Desktop (classic) without
Azure Resource Manager objects, see this article.

Azure Virtual Desktop has a delegated access model that lets you define the amount of
access a particular user is allowed to have by assigning them a role. A role assignment
has three components: security principal, role definition, and scope. The Azure Virtual
Desktop delegated access model is based on the Azure RBAC model. To learn more
about specific role assignments and their components, see the Azure role-based access
control overview.

Azure Virtual Desktop delegated access supports the following values for each element
of the role assignment:

Security principal
Users
User groups
Service principals
Role definition
Built-in roles
Custom roles
Scope
Host pools
Application groups
Workspaces

PowerShell cmdlets for role assignments

Before you start, make sure to follow the instructions in Set up the PowerShell module
to set up the Azure Virtual Desktop PowerShell module if you haven't already.

Azure Virtual Desktop uses Azure role-based access control (Azure RBAC) while
publishing application groups to users or user groups. The Desktop Virtualization User
role is assigned to the user or user group and the scope is the application group. This
role gives the user special data access on the application group.

Run the following cmdlet to add Microsoft Entra users to an application group:

PowerShell

New-AzRoleAssignment -SignInName <userupn> -RoleDefinitionName "Desktop

Virtualization User" -ResourceName <appgroupname> -ResourceGroupName
<resourcegroupname> -ResourceType
'Microsoft.DesktopVirtualization/applicationGroups'

Run the following cmdlet to add Microsoft Entra user group to an application group:

PowerShell

New-AzRoleAssignment -ObjectId <usergroupobjectid> -RoleDefinitionName

"Desktop Virtualization User" -ResourceName <appgroupname> -
ResourceGroupName <resourcegroupname> -ResourceType
'Microsoft.DesktopVirtualization/applicationGroups'

Next steps
For a more complete list of PowerShell cmdlets each role can use, see the PowerShell
reference.

For a complete list of roles supported in Azure RBAC, see Azure built-in roles.

For guidelines for how to set up a Azure Virtual Desktop environment, see Azure Virtual
Desktop environment.
Required FQDNs and endpoints for Azure
Virtual Desktop
Article • 11/21/2024

In order to deploy Azure Virtual Desktop and for your users to connect, you must allow specific
FQDNs and endpoints. Users also need to be able to connect to certain FQDNs and endpoints to
access their Azure Virtual Desktop resources. This article lists the required FQDNs and endpoints you
need to allow for your session hosts and users.

These FQDNs and endpoints could be blocked if you're using a firewall, such as Azure Firewall, or
proxy service. For guidance on using a proxy service with Azure Virtual Desktop, see Proxy service
guidelines for Azure Virtual Desktop.

You can check that your session host VMs can connect to these FQDNs and endpoints by following
the steps to run the Azure Virtual Desktop Agent URL Tool in Check access to required FQDNs and
endpoints for Azure Virtual Desktop. The Azure Virtual Desktop Agent URL Tool validates each FQDN
and endpoint and show whether your session hosts can access them.

） Important

Microsoft doesn't support Azure Virtual Desktop deployments where the FQDNs and
endpoints listed in this article are blocked.

This article doesn't include FQDNs and endpoints for other services such as Microsoft Entra
ID, Office 365, custom DNS providers or time services. Microsoft Entra FQDNs and
endpoints can be found under ID 56, 59 and 125 in Office 365 URLs and IP address ranges.

Service tags and FQDN tags

Service tags represent groups of IP address prefixes from a given Azure service. Microsoft manages
the address prefixes encompassed by the service tag and automatically updates the service tag as
addresses change, minimizing the complexity of frequent updates to network security rules. Service
tags can be used in rules for Network Security Groups (NSGs) and Azure Firewall to restrict outbound
network access. Service tags can be also used in User Defined Routes (UDRs) to customize traffic
routing behavior.

Azure Firewall also supports FQDN tags, which represent a group of fully qualified domain names
(FQDNs) associated with well known Azure and other Microsoft services. Azure Virtual Desktop
doesn't have a list of IP address ranges that you can unblock instead of FQDNs to allow network
traffic. If you're using a Next Generation Firewall (NGFW), you need to use a dynamic list made for
Azure IP addresses to make sure you can connect. For more information, see Use Azure Firewall to
protect Azure Virtual Desktop deployments.
Azure Virtual Desktop has both a service tag and FQDN tag entry available. We recommend you use
service tags and FQDN tags to simplify your Azure network configuration.

Session host virtual machines

The following table is the list of FQDNs and endpoints your session host VMs need to access for
Azure Virtual Desktop. All entries are outbound; you don't need to open inbound ports for Azure
Virtual Desktop. Select the relevant tab based on which cloud you're using.

Azure cloud

ﾉ Expand table

Address Protocol Outbound Purpose Service tag

port

login.microsoftonline.com TCP 443 Authentication AzureActiveDirectory

to Microsoft
Online
Services

*.wvd.microsoft.com TCP 443 Service traffic WindowsVirtualDesktop

catalogartifact.azureedge.net TCP 443 Azure AzureFrontDoor.Frontend

Marketplace

*.prod.warm.ingest.monitor.core.windows.net TCP 443 Agent traffic AzureMonitor

Diagnostic
output

gcs.prod.monitoring.core.windows.net TCP 443 Agent traffic AzureMonitor

azkms.core.windows.net TCP 1688 Windows Internet

activation

mrsglobalsteus2prod.blob.core.windows.net TCP 443 Agent and AzureStorage

side-by-side
(SXS) stack
updates

wvdportalstorageblob.blob.core.windows.net TCP 443 Azure portal AzureCloud

support

169.254.169.254 TCP 80 Azure Instance N/A

Metadata
service
endpoint

168.63.129.16 TCP 80 Session host N/A

health
monitoring

oneocsp.microsoft.com TCP 80 Certificates AzureFrontDoor.FirstParty

 Address Protocol Outbound Purpose Service tag
port

www.microsoft.com TCP 80 Certificates N/A

The following table lists optional FQDNs and endpoints that your session host virtual machines
might also need to access for other services:

ﾉ Expand table

Address Protocol Outbound Purpose Service tag

port

login.windows.net TCP 443 Sign in to Microsoft AzureActiveDirectory

Online Services and
Microsoft 365

*.events.data.microsoft.com TCP 443 Telemetry Service N/A

www.msftconnecttest.com TCP 80 Detects if the session N/A

host is connected to
the internet

*.prod.do.dsp.mp.microsoft.com TCP 443 Windows Update N/A

*.sfx.ms TCP 443 Updates for OneDrive N/A

client software

*.digicert.com TCP 80 Certificate revocation N/A

check

*.azure-dns.com TCP 443 Azure DNS resolution N/A

*.azure-dns.net TCP 443 Azure DNS resolution N/A

*eh.servicebus.windows.net TCP 443 Diagnostic settings EventHub

 Tip

You must use the wildcard character (*) for FQDNs involving service traffic.

For agent traffic, if you prefer not to use a wildcard, here's how to find specific FQDNs to allow:

1. Ensure your session hosts are registered to a host pool.

2. On a session host, open Event viewer, then go to Windows logs > Application > WVD-
Agent and look for event ID 3701.
3. Unblock the FQDNs that you find under event ID 3701. The FQDNs under event ID 3701 are
region-specific. You need to repeat this process with the relevant FQDNs for each Azure
region you want to deploy your session hosts in.
End user devices
Any device on which you use one of the Remote Desktop clients to connect to Azure Virtual Desktop
must have access to the following FQDNs and endpoints. Allowing these FQDNs and endpoints is
essential for a reliable client experience. Blocking access to these FQDNs and endpoints isn't
supported and affects service functionality.

Select the relevant tab based on which cloud you're using.

Azure cloud

ﾉ Expand table

Address Protocol Outbound Purpose Client(s)

port

login.microsoftonline.com TCP 443 Authentication to Microsoft All

Online Services

*.wvd.microsoft.com TCP 443 Service traffic All

*.servicebus.windows.net TCP 443 Troubleshooting data All

go.microsoft.com TCP 443 Microsoft FWLinks All

aka.ms TCP 443 Microsoft URL shortener All

learn.microsoft.com TCP 443 Documentation All

privacy.microsoft.com TCP 443 Privacy statement All

*.cdn.office.net TCP 443 Automatic updates Windows

Desktop

graph.microsoft.com TCP 443 Service traffic All

windows.cloud.microsoft TCP 443 Connection center All

windows365.microsoft.com TCP 443 Service traffic All

ecs.office.com TCP 443 Connection center All

If you're on a closed network with restricted internet access, you might also need to allow the FQDNs
listed here for certificate checks: Azure Certificate Authority details | Microsoft Learn.

Next steps
Check access to required FQDNs and endpoints for Azure Virtual Desktop.

To learn how to unblock these FQDNs and endpoints in Azure Firewall, see Use Azure Firewall to
protect Azure Virtual Desktop.
 For more information about network connectivity, see Understanding Azure Virtual Desktop
network connectivity

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Check access to required FQDNs and
endpoints for Azure Virtual Desktop
Article • 11/21/2023

In order to deploy Azure Virtual Desktop, you must allow specific FQDNs and endpoints.
You can find the list of FQDNs and endpoints in Required FQDNs and endpoints.

Available as part of the Azure Virtual Desktop Agent (RDAgent) on each session host, the
Azure Virtual Desktop Agent URL Tool enables you to quickly and easily validate whether
your session hosts can access each FQDN and endpoint. If not it can't, the tool lists any
required FQDNs and endpoints it can't access so you can unblock them and retest, if
needed.

７ Note

The Azure Virtual Desktop Agent URL Tool doesn't verify that you've allowed access
to wildcard entries we specify for FQDNs, only specific entries within those
wildcards that depend on the session host location, so make sure the wildcard
entries are allowed before you run the tool.

Prerequisites
You need the following things to use the Azure Virtual Desktop Agent URL Tool:

A session host VM.

Your session host must have .NET 4.6.2 framework installed.

RDAgent version 1.0.2944.400 or higher on your session host. The executable for
the Azure Virtual Desktop Agent URL Tool is WVDAgentUrlTool.exe and is included
in the same installation folder as the RDAgent, for example C:\Program
Files\Microsoft RDInfra\RDAgent_1.0.2944.1200 .

The WVDAgentUrlTool.exe file must be in the same folder as the

WVDAgentUrlTool.config file.

Use the Azure Virtual Desktop Agent URL Tool

To use the Azure Virtual Desktop Agent URL Tool:
1. Open PowerShell as an administrator on a session host.

2. Run the following commands to change the directory to the same folder as the
latest RDAgent installed on your session host:

PowerShell

$RDAgent = Get-WmiObject -Class Win32_Product | ? Name -eq "Remote

Desktop Services Infrastructure Agent" | Sort-Object Version -
Descending
$path = ($RDAgent[0]).InstallSource + "RDAgent_" +
($RDAgent[0]).Version

cd $path

3. Run the following command to run the Azure Virtual Desktop Agent URL Tool:

PowerShell

.\WVDAgentUrlTool.exe

4. Once you run the file, you see a list of accessible and inaccessible FQDNs and
endpoints.

For example, the following screenshot shows a scenario where you'd need to
unblock two required FQDNs:
Here's what the output should look like when all required FQDNs and endpoints
are accessible. The Azure Virtual Desktop Agent URL Tool doesn't verify that you
allowed access to wildcard entries we specify for FQDNs.
 5. You can repeat these steps on your other session host, particularly if they are in a
different Azure region or use a different virtual network.

Next steps
Review the list of the Required FQDNs and endpoints for Azure Virtual Desktop.
To learn how to unblock these FQDNs and endpoints in Azure Firewall, see Use
Azure Firewall to protect Azure Virtual Desktop.

For more information about network connectivity, see Understanding Azure Virtual
Desktop network connectivity
RDP Shortpath for Azure Virtual
Desktop
Article • 10/11/2024

RDP Shortpath establishes a UDP-based transport between a local device Windows App
or the Remote Desktop app on supported platforms and session host in Azure Virtual
Desktop. By default, the Remote Desktop Protocol (RDP) begins a TCP-based reverse
connect transport, then tries to establish a remote session using UDP. If the UDP
connection succeeds the TCP connection drops, otherwise the TCP connection is used as
a fallback connection mechanism.

UDP-based transport offers better connection reliability and more consistent latency.
TCP-based reverse connect transport provides the best compatibility with various
networking configurations and has a high success rate for establishing RDP connections.

RDP Shortpath can be used in two ways:

1. Managed networks, where direct connectivity is established between the client

and the session host when using a private connection, such as Azure ExpressRoute
or a site-to-site virtual private network (VPN). A connection using a managed
network is established in one of the following ways:

a. A direct UDP connection between the client device and session host, where you
need to enable the RDP Shortpath listener and allow an inbound port on each
session host to accept connections.

b. A direct UDP connection between the client device and session host, using the
Simple Traversal Underneath NAT (STUN) protocol between a client and session
host. Inbound ports on the session host aren't required to be allowed.

2. Public networks, where direct connectivity is established between the client and
the session host when using a public connection. There are two connection types
when using a public connection, which are listed here in order of preference:

a. A direct UDP connection using the Simple Traversal Underneath NAT (STUN)
protocol between a client and session host.

b. An relayed UDP connection using the Traversal Using Relay NAT (TURN)
protocol between a client and session host.

The transport used for RDP Shortpath is based on the Universal Rate Control Protocol
(URCP) . URCP enhances UDP with active monitoring of the network conditions and
provides fair and full link utilization. URCP operates at low delay and loss levels as
needed.

） Important

RDP Shortpath for public networks via STUN for Azure Virtual Desktop is
available in the Azure public cloud and Azure Government cloud.
RDP Shortpath for public networks via TURN for Azure Virtual Desktop is only
available in the Azure public cloud.

Key benefits
Using RDP Shortpath has the following key benefits:

Using URCP to enhance UDP achieves the best performance by dynamically

learning network parameters and providing the protocol with a rate control
mechanism.

Higher throughput.

When using STUN, the removal of extra relay points reduces round-trip time
improves connection reliability and the user experience with latency-sensitive
applications and input methods.

In addition, for managed networks:

RDP Shortpath brings support for configuring Quality of Service (QoS) priority
for RDP connections through Differentiated Services Code Point (DSCP) marks.

The RDP Shortpath transport allows limiting outbound network traffic by

specifying a throttle rate for each session.

How RDP Shortpath works

To learn how RDP Shortpath works for managed networks and public networks, select
each of the following tabs.

Managed networks

You can achieve the direct line of sight connectivity required to use RDP Shortpath
with managed networks using the following methods.
 ExpressRoute private peering

Site-to-site or Point-to-site VPN (IPsec), such as Azure VPN Gateway

Having direct line of sight connectivity means that the client can connect directly to
the session host without being blocked by firewalls.

７ Note

If you're using other VPN types to connect to Azure, we recommend using a

UDP-based VPN. While most TCP-based VPN solutions support nested UDP,
they add inherited overhead of TCP congestion control, which slows down RDP
performance.

To use RDP Shortpath for managed networks, you must enable a UDP listener on
your session hosts. By default, port 3390 is used, although you can use a different
port.

The following diagram gives a high-level overview of the network connections

when using RDP Shortpath for managed networks and session hosts joined to an
Active Directory domain.


 Connection sequence
All connections begin by establishing a TCP-based reverse connect transport over
the Azure Virtual Desktop Gateway. Then, the client and session host establish the
initial RDP transport, and start exchanging their capabilities. These capabilities are
negotiated using the following process:

1. The session host sends the list of its IPv4 and IPv6 addresses to the client.

2. The client starts the background thread to establish a parallel UDP-based

transport directly to one of the session host's IP addresses.

3. While the client is probing the provided IP addresses, it continues to establish

the initial connection over the reverse connect transport to ensure there's no
delay in the user connection.

4. If the client has a direct connection to the session host, the client establishes a
secure connection using TLS over reliable UDP.

5. After establishing the RDP Shortpath transport, all Dynamic Virtual Channels
(DVCs), including remote graphics, input, and device redirection, are moved to
the new transport. However, if a firewall or network topology prevents the
client from establishing direct UDP connectivity, RDP continues with a reverse
connect transport.

If your users have both RDP Shortpath for managed network and public networks
available to them, then the first-found algorithm will be used. The user will use
whichever connection gets established first for that session.

Connection security
RDP Shortpath extends RDP multi-transport capabilities. It doesn't replace the reverse
connect transport but complements it. Initial session brokering is managed through the
Azure Virtual Desktop service and the reverse connect transport. All connection
attempts are ignored unless they match the reverse connect session first. RDP Shortpath
is established after authentication, and if successfully established, the reverse connect
transport is dropped and all traffic flows over the RDP Shortpath.

RDP Shortpath uses a secure connection using TLS over reliable UDP between the client
and the session host using the session host's certificates. By default, the certificate used
for RDP encryption is self-generated by the operating system during the deployment.
You can also deploy centrally managed certificates issued by an enterprise certification
authority. For more information about certificate configurations, see Remote Desktop
listener certificate configurations.

７ Note

The security offered by RDP Shortpath is the same as that offered by TCP reverse
connect transport.

Example scenarios
Here are some example scenarios to show how connections are evaluated to decide
whether RDP Shortpath is used across different network topologies.

Scenario 1
A UDP connection can only be established between the client device and the session
host over a public network (internet). A direct connection, such as a VPN, isn't available.
UDP is allowed through firewall or NAT device.

Scenario 2
A firewall or NAT device is blocking a direct UDP connection, but a relayed UDP
connection can be relayed using TURN between the client device and the session host
over a public network (internet). Another direct connection, such as a VPN, isn't
available.
Scenario 3
A UDP connection can be established between the client device and the session host
over a public network or over a direct VPN connection, but RDP Shortpath for managed
networks isn't enabled. When the client initiates the connection, the ICE/STUN protocol
can see multiple routes and will evaluate each route and choose the one with the lowest
latency.

In this example, a UDP connection using RDP Shortpath for public networks over the
direct VPN connection will be made as it has the lowest latency, as shown by the green
line.

Scenario 4
Both RDP Shortpath for public networks and managed networks are enabled. A UDP
connection can be established between the client device and the session host over a
public network or over a direct VPN connection. When the client initiates the
connection, there are simultaneous attempts to connect using RDP Shortpath for
managed networks through port 3390 (by default) and RDP Shortpath for public
networks through the ICE/STUN protocol. The first-found algorithm will be used and the
user will use whichever connection gets established first for that session.
Since going over a public network has more steps, for example a NAT device, a load
balancer, or a STUN server, it's likely that the first-found algorithm will select the
connection using RDP Shortpath for managed networks and be established first.

Scenario 5
A UDP connection can be established between the client device and the session host
over a public network or over a direct VPN connection, but RDP Shortpath for managed
networks isn't enabled. To prevent ICE/STUN from using a particular route, an admin can
block one of the routes for UDP traffic. Blocking a route would ensure the remaining
path is always used.

In this example, UDP is blocked on the direct VPN connection and the ICE/STUN
protocol establishes a connection over the public network.

Scenario 6
Both RDP Shortpath for public networks and managed networks are configured,
however a UDP connection couldn't be established using direct VPN connection. A
firewall or NAT device is also blocking a direct UDP connection using the public network
(internet), but a relayed UDP connection can be relayed using TURN between the client
device and the session host over a public network (internet).
Scenario 7
Both RDP Shortpath for public networks and managed networks are configured,
however a UDP connection couldn't be established. In this instance, RDP Shortpath will
fail and the connection will fall back to TCP-based reverse connect transport.

Next steps
Learn how to Configure RDP Shortpath.
Learn more about Azure Virtual Desktop network connectivity at Understanding
Azure Virtual Desktop network connectivity.
Understand Azure egress network charges .
To understand how to estimate the bandwidth used by RDP, see RDP bandwidth
requirements.
Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Configure RDP Shortpath for Azure
Virtual Desktop
Article • 10/03/2024

） Important

RDP Shortpath for public networks via TURN for Azure Virtual Desktop is only
available in the Azure public cloud.

Users can connect to a remote session from Azure Virtual Desktop using the Remote
Desktop Protocol (RDP) with a UDP or TCP-based transport. RDP Shortpath establishes a
UDP-based transport between a local device Windows App or the Remote Desktop app
on supported platforms and session host.

UDP-based transport offers better connection reliability and more consistent latency.
TCP-based reverse connect transport provides the best compatibility with various
networking configurations and has a high success rate for establishing RDP connections.
If a UDP connection can't be established, a TCP-based reverse connect transport is used
as a fallback connection method.

There are four options for RDP Shortpath that provide flexibility for how you want client
devices to a remote session using UDP:

RDP Shortpath for managed networks: A direct UDP connection between a client
device and session host using a private connection, such as ExpressRoute private
peering or a virtual private network (VPN). You enable the RDP Shortpath listener
on session hosts and allow an inbound port to accept connections.

RDP Shortpath for managed networks with ICE/STUN: A direct UDP connection
between a client device and session host using a private connection, such as
ExpressRoute private peering or a virtual private network (VPN). When the RDP
Shortpath listener isn't enabled on session hosts and an inbound port isn't allowed,
ICE/STUN is used to discover available IP addresses and a dynamic port that can be
used for a connection. The port range is configurable.

RDP Shortpath for public networks with ICE/STUN: A direct UDP connection
between a client device and session host using a public connection. ICE/STUN is
used to discover available IP addresses and a dynamic port that can be used for a
connection. The RDP Shortpath listener and an inbound port aren't required. The
port range is configurable.
 RDP Shortpath for public networks via TURN: A relayed UDP connection between
a client device and session host using a public connection where TURN relays
traffic through an intermediate server between a client and session host. An
example of when you use this option is if a connection uses Symmetric NAT. A
dynamic port is used for a connection; the port range is configurable. For a list of
Azure regions that TURN is available, see supported Azure regions with TURN
availability. The connection from the client device must also be within a supported
location. The RDP Shortpath listener and an inbound port aren't required.

Which of the four options your client devices can use is also dependent on their network
configuration. To learn more about how RDP Shortpath works, together with some
example scenarios, see RDP Shortpath.

This article lists the default configuration for each of the four options and how to
configure them. It also provides steps to verify that RDP Shortpath is working and how
to disable it if needed.

 Tip

RDP Shortpath for public networks with STUN or TURN will work automatically
without any additional configuration, if networks and firewalls allow the traffic
through and RDP transport settings in the Windows operating system for session
hosts and clients are using their default values.

Default configuration
Your session hosts, the networking settings of the related host pool, and client devices
need to be configured for RDP Shortpath. What you need to configure depends on
which of the four RDP Shortpath options you want to use and also the network
topology and configuration of client devices.

Here are the default behaviors for each option and what you need to configure:

ﾉ Expand table

RDP Shortpath Session host settings Host pool Client device

option networking settings
settings

RDP Shortpath for UDP and TCP are enabled in Windows Default UDP and TCP
managed by default. (enabled) are enabled in
networks
 RDP Shortpath Session host settings Host pool Client device
option networking settings
settings

You need to enable the RDP Shortpath Windows by

listener on session hosts using default.
Microsoft Intune or Group Policy, and
allow an inbound port to accept
connections.

RDP Shortpath for UDP and TCP are enabled in Windows Default UDP and TCP
managed by default. (enabled) are enabled in
networks with Windows by
ICE/STUN You don't need any extra configuration, default.
but you can limit the port range used.

RDP Shortpath for UDP and TCP are enabled in Windows Default UDP and TCP
public networks by default. (enabled) are enabled in
with ICE/STUN Windows by
You don't need any extra configuration, default.
but you can limit the port range used.

RDP Shortpath for UDP and TCP are enabled in Windows Default UDP and TCP
public networks by default. (enabled) are enabled in
via TURN Windows by
You don't need any extra configuration, default.
but you can limit the port range used.

Prerequisites
Before you enable RDP Shortpath, you need:

A client device running one of the following apps:

Windows App on the following platforms:

Windows
macOS
iOS/iPadOS
Android/Chrome OS (preview)

Remote Desktop app on the following platforms:

Windows, version 1.2.3488 or later
macOS
iOS/iPadOS
Android/Chrome OS
 For RDP Shortpath for managed networks, you need direct connectivity between
the client and the session host. This means that the client can connect directly to
the session host on port 3390 (default) and isn't blocked by firewalls (including the
Windows Firewall) or a Network Security Group. Examples of a managed network
are ExpressRoute private peering or a site-to-site or point-to-site VPN (IPsec), such
as Azure VPN Gateway.

For RDP Shortpath for public networks, you need:

Internet access for both clients and session hosts. Session hosts require
outbound UDP connectivity from your session hosts to the internet or
connections to STUN and TURN servers. To reduce the number of ports
required, you can limit the port range used with STUN and TURN.

Make sure session hosts and clients can connect to the STUN and TURN servers.
You can find details of the IP subnets, ports, and protocols used by the STUN
and TURN servers at Network configuration.

If you want to use Azure PowerShell locally, see Use Azure CLI and Azure
PowerShell with Azure Virtual Desktop to make sure you have the
Az.DesktopVirtualization PowerShell module installed. Alternatively, use the Azure
Cloud Shell.

Parameters to configure RDP Shortpath using Azure PowerShell are added in

version 5.2.1 preview of the Az.DesktopVirtualization module. You can download
and install it from the PowerShell Gallery .

Enable the RDP Shortpath listener for RDP

Shortpath for managed networks
For the option RDP Shortpath for managed networks, you need to enable the RDP
Shortpath listener on your session hosts and open an inbound port to accept
connections. You can do this using Microsoft Intune or Group Policy in an Active
Directory domain.

） Important

You don't need to enable the RDP Shortpath listener for the other three RDP
Shortpath options, as they use ICE/STUN or TURN to discover available IP
addresses and a dynamic port that is used for a connection.
Select the relevant tab for your scenario.

Microsoft Intune

To enable the RDP Shortpath listener on your session hosts using Microsoft Intune:

1. Sign in to the Microsoft Intune admin center .

2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.

3. In the settings picker, browse to Administrative templates > Windows

Components > Remote Desktop Services > Remote Desktop Session Host >
Azure Virtual Desktop.

4. Check the box for Enable RDP Shortpath for managed networks, then close
the settings picker.

5. Expand the Administrative templates category, then toggle the switch for
Enable RDP Shortpath for managed networks to Enabled.

6. Select Next.

7. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.

8. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.

9. On the Review + create tab, review the settings, then select Create.
 10. Make sure Windows Firewall and any other firewalls you have allows the port
you configured inbound to your session hosts. Follow the steps in Firewall
policy for endpoint security in Intune.

11. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.

Check that UDP is enabled on session hosts

For session hosts, UDP is enabled by default in Windows. To check the RDP transport
protocols setting in the Windows registry to verify that UDP is enabled:

1. Open a PowerShell prompt on a session host.

2. Run the following commands, which check the registry and outputs the current
RDP transport protocols setting:

PowerShell

$regKey = Get-ItemProperty -Path

"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"

If ($regKey.PSObject.Properties.name -contains "SelectTransport" -eq

"True") {
If (($regkey | Select-Object -ExpandProperty "SelectTransport") -eq
1) {
Write-Output "The RDP transport protocols setting has changed.
Its value is: Use only TCP."
} elseif (($regkey | Select-Object -ExpandProperty
"SelectTransport") -eq 2) {
Write-Output "The default RDP transport protocols setting has
changed. Its value is: Use either UDP or TCP."
}
} else {
Write-Output "The RDP transport protocols setting hasn't been
changed from its default value. UDP is enabled."
}

The output should be similar to the following example:

Output

The RDP transport protocols setting hasn't been changed from its
default value.
 If the output states that the value is Use only TCP it's likely that the value has been
changed by Microsoft Intune or Group Policy in an Active Directory domain. You
need to enable UDP in one of the following ways:

a. Edit the existing Microsoft Intune policy or Active Directory Group Policy that
targets your session hosts. The policy setting is at one of these locations:

For Intune policy: Administrative Templates > Windows Components >

Remote Desktop Services > Remote Desktop Session Host >
Connections > Select RDP transport protocols.

For Group Policy: Computer Configuration > Policies > Administrative

Templates > Windows Components > Remote Desktop Services >
Remote Desktop Session Host > Connections > Select RDP transport
protocols.

b. Either set the setting to Not configured, or set it to Enabled, then for Select
Transport Type, select Use both UDP and TCP.

c. Update the policy on the session hosts, then restart them for the settings to
take effect.

Configure host pool networking settings

You can granularly control how RDP Shortpath is used by configuring the networking
settings of a host pool using the Azure portal or Azure PowerShell. Configuring RDP
Shortpath on the host pool enables you to optionally set which of the four RDP
Shortpath options you want to use and is used alongside the session host configuration.

Where there's a conflict between the host pool and session host configuration, the most
restrictive setting is used. For example, if RDP Shortpath for manage networks is
configured, where the listener is enabled on the session host and the host pool is set to
disabled, RDP Shortpath for managed networks won't work.

Select the relevant tab for your scenario.

Azure portal

Here's how to configure RDP Shortpath in the host pool networking settings using
the Azure portal:

1. Sign in to the Azure portal .

 2. In the search bar, type Azure Virtual Desktop and select the matching service
entry.

3. Select Host pools, then select the host pool you want to configure.

4. Select Networking, then select RDP Shortpath.

5. For each option, select a value from the drop-down each based on your
requirements. Default corresponds to Enabled for each option.

6. Select Save.

Check that UDP is enabled on Windows client

devices
For Windows client devices, UDP is enabled by default. To check in the Windows registry
to verify that UDP is enabled:

1. Open a PowerShell prompt on a Windows client device.

2. Run the following commands, which check the registry and outputs the current
setting:

PowerShell

$regKey = Get-ItemProperty -Path

"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client"

If ($regKey.PSObject.Properties.name -contains "fClientDisableUDP" -eq

"True") {
If (($regkey | Select-Object -ExpandProperty "fClientDisableUDP") -
eq 1) {
Write-Output "The default setting has changed. UDP is
 disabled."
} elseif (($regkey | Select-Object -ExpandProperty
"fClientDisableUDP") -eq 0) {
Write-Output "The default setting has changed, but UDP is
enabled."
}
} else {
Write-Output "The default setting hasn't been changed from its
default value. UDP is enabled."
}

The output should be similar to the following example:

Output

The default setting hasn't been changed from its default value. UDP is
enabled.

If the output states that UDP is disabled, it's likely that the value has been changed
by Microsoft Intune or Group Policy in an Active Directory domain. You need to
enable UDP in one of the following ways:

a. Edit the existing Microsoft Intune policy or Active Directory Group Policy that
targets your session hosts. The policy setting is at one of these locations:

For Intune policy: Administrative Templates > Windows Components >

Remote Desktop Services > Remote Desktop Connection Client > Turn
Off UDP On Client.

For Group Policy: Computer Configuration > Policies > Administrative

Templates > Windows Components > Remote Desktop Services >
Remote Desktop Connection Client > Turn Off UDP On Client.

b. Either set the setting to Not configured, or set it to Disabled.

c. Update the policy on the client devices, then restart them for the settings to
take effect.

Check client device STUN/TURN server

connectivity and NAT type
You can validate a client device can connect to the STUN/TURN endpoints, whether NAT
is in use and its type, and verify that basic UDP functionality works by running the
executable avdnettest.exe . Here's a download link to the latest version of
avdnettest.exe .

You can run avdnettest.exe by double-clicking the file, or running it from the command
line. The output looks similar to this output if connectivity is successful:

Checking DNS service ... OK

Checking TURN support ... OK
Checking ACS server 20.202.68.109:3478 ... OK
Checking ACS server 20.202.21.66:3478 ... OK

You have access to TURN servers and your NAT type appears to be 'cone
shaped'.
Shortpath for public networks is very likely to work on this host.

If your environment uses Symmetric NAT, then you can use a relayed connection with
TURN. For more information you can use to configure firewalls and Network Security
Groups, see Network configurations for RDP Shortpath.

Optional: Enable Teredo support

While not required for RDP Shortpath, Teredo adds extra NAT traversal candidates and
increases the chance of the successful RDP Shortpath connection in IPv4-only networks.
You can enable Teredo on both session hosts and clients with PowerShell:

1. Open a PowerShell prompt as an administrator.

2. Run the following command:

PowerShell

Set-NetTeredoConfiguration -Type Enterpriseclient

3. Restart the session hosts and client devices for the settings to take effect.

Limit the port range used with STUN and TURN

By default, RDP Shortpath options that use STUN or TURN use an ephemeral port range
of 49152 to 65535 to establish a direct path between server and client. However, you
might want to configure your session hosts to use a smaller, predictable port range.
You can set a smaller default range of ports 38300 to 39299, or you can specify your
own port range to use. When enabled on your session hosts, Windows App or the
Remote Desktop app randomly selects the port from the range you specify for every
connection. If this range is exhausted, connections fall back to using the default port
range (49152-65535).

When choosing the base and pool size, consider the number of ports you need. The
range must be between 1024 and 49151, after which the ephemeral port range begins.

You can limit the port range this using Microsoft Intune or Group Policy in an Active
Directory domain. Select the relevant tab for your scenario.

Microsoft Intune

To limit the port range used with STUN and TURN using Microsoft Intune:

1. Sign in to the Microsoft Intune admin center .

2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.

3. In the settings picker, browse to Administrative templates > Windows

Components > Remote Desktop Services > Remote Desktop Session Host >
Azure Virtual Desktop.

4. Check the box for Use port range for RDP Shortpath for unmanaged
networks, then close the settings picker.

5. Expand the Administrative templates category, then toggle the switch for Use
port range for RDP Shortpath for unmanaged networks to Enabled.
 6. Enter values for Port pool size (Device) and UDP base port (Device). The
default values are 1000 and 38300 respectively.

7. Select Next.

8. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.

9. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.

10. On the Review + create tab, review the settings, then select Create.

11. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.

Verify RDP Shortpath is working

Once you configure RDP Shortpath, connect to a remote session from a client device
and check the connection is using UDP. You can verify the transport in use with either
the Connection Information dialog from Windows App or the Remote Desktop app,
Event Viewer logs on the client device, or by using Log Analytics in the Azure portal.

Select the relevant tab for your scenario.

Connection information

To make sure connections are using RDP Shortpath, you can check the connection
information on the client:

1. Connect to a remote session.

2. Open the Connection Information dialog by going to the Connection tool bar
on the top of the screen and select the signal strength icon, as shown in the
following screenshot:

3. You can verify in the output that UDP is enabled, as shown in the following
screenshots:
If a direct connection with RDP Shortpath for managed networks is used,
the transport protocol has the value UDP (Private Network):

If STUN is used, the transport protocol has the value UDP:

 If TURN is used, the transport protocol has the value UDP (Relay):

Related content
If you're having trouble establishing a connection using the RDP Shortpath transport for
public networks, see Troubleshoot RDP Shortpath.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Implement Quality of Service (QoS) for
Azure Virtual Desktop
Article • 05/25/2022

RDP Shortpath for managed networks provides a direct UDP-based transport between
Remote Desktop Client and Session host. RDP Shortpath for managed networks enables
configuration of Quality of Service (QoS) policies for the RDP data. QoS in Azure Virtual
Desktop allows real-time RDP traffic that's sensitive to network delays to "cut in line" in
front of traffic that's less sensitive. Example of such less sensitive traffic would be a
downloading a new app, where an extra second to download isn't a large deal. QoS uses
Windows Group Policy Objects to identify and mark all packets in real-time streams and
help your network to give RDP traffic a dedicated portion of bandwidth.

If you support a large group of users experiencing any of the problems described in this
article, you probably need to implement QoS. A small business with few users might not
need QoS, but it should be helpful even there.

Without some form of QoS, you might see the following issues:

Jitter – RDP packets arriving at different rates, which can result in visual and audio
glitches
Packet loss – packets dropped, which results in retransmission that requires
additional time
Delayed round-trip time (RTT) – RDP packets taking a long time to reach their
destinations, which result in noticeable delays between input and reaction from the
remote application.

The least complicated way to address these issues is to increase the data connections'
size, both internally and out to the internet. Since that is often cost-prohibitive, QoS
provides a way to manage the resources you have instead of adding bandwidth more
effectively. To address quality issues, we recommend that you first use QoS, then add
bandwidth only where necessary.

For QoS to be effective, you must apply consistent QoS settings throughout your
organization. Any part of the path that fails to support your QoS priorities can degrade
the quality RDP session.

Introduction to QoS queues

To provide QoS, network devices must have a way to classify traffic and must be able to
distinguish RDP from other network traffic.

When network traffic enters a router, the traffic is placed into a queue. If a QoS policy
isn't configured, there is only one queue, and all data is treated as first-in, first-out with
the same priority. That means RDP traffic might get stuck behind traffic where a few
extra milliseconds delay wouldn't be a problem.

When you implement QoS, you define multiple queues using one of several congestion
management features, such as Cisco’s priority queuing and Class-Based Weighted Fair
Queueing (CBWFQ) and congestion avoidance features, such as weighted random
early detection (WRED) .

A simple analogy is that QoS creates virtual "carpool lanes" in your data network. So
some types of data never or rarely encounter a delay. Once you create those lanes, you
can adjust their relative size and much more effectively manage the connection
bandwidth you have while still delivering business-grade experiences for your
organization's users.

QoS implementation checklist

At a high level, do the following to implement QoS:

1. Make sure your network is ready

2. Make sure that RDP Shortpath for managed networks is enabled - QoS policies are
not supported for reverse connect transport
3. Implement insertion of DSCP markers on session hosts

As you prepare to implement QoS, keep the following guidelines in mind:

The shortest path to session host is best

Any obstacles in between, such as proxies or packet inspection devices, aren't
recommended

Make sure your network is ready

If you're considering a QoS implementation, you should already have determined your
bandwidth requirements and other network requirements.

Traffic congestion across a network will significantly impact media quality. A lack of
bandwidth leads to performance degradation and a poor user experience. As Azure
Virtual Desktop adoption and usage grows, use Log Analytics to identify problems and
then make adjustments using QoS and selective bandwidth additions.

VPN considerations
QoS only works as expected when implemented on all links between clients and session
hosts. If you use QoS on an internal network and a user signs in from a remote location,
you can only prioritize within your internal, managed network. Although remote
locations can receive a managed connection by implementing a virtual private network
(VPN), a VPN inherently adds packet overhead and creates delays in real-time traffic.

In a global organization with managed links that span continents, we strongly

recommend QoS because bandwidth for those links is limited compared to the LAN.

Insert DSCP markers

You could implement QoS using a Group Policy Object (GPO) to direct session hosts to
insert a DSCP marker in IP packet headers identifying it as a particular type of traffic.
Routers and other network devices can be configured to recognize these markings and
put the traffic in a separate, higher-priority queue.

You can compare DSCP markings to postage stamps that indicate to postal workers how
urgent the delivery is and how best to sort it for speedy delivery. Once you've
configured your network to give priority to RDP streams, lost packets and late packets
should diminish significantly.

Once all network devices are using the same classifications, markings, and priorities, it's
possible to reduce or eliminate delays, dropped packets, and jitter. From the RDP
perspective, the essential configuration step is the classification and marking of packets.
However, for end-to-end QoS to be successful, you also need to align the RDP
configuration with the underlying network configuration carefully. The DSCP value tells a
correspondingly configured network what priority to give a packet or stream.

We recommend using DSCP value 46 that maps to Expedited Forwarding (EF) DSCP
class.

Implement QoS on session host using Group Policy

You can use policy-based Quality of Service (QoS) within Group Policy to set the
predefined DSCP value.
To create a QoS policy for domain-joined session hosts, first, sign in to a computer on
which Group Policy Management has been installed. Open Group Policy Management
(select Start, point to Administrative Tools, and then select Group Policy Management),
and then complete the following steps:

1. In Group Policy Management, locate the container where the new policy should be
created. For example, if all your session hosts computers are located in an OU
named "session hosts", the new policy should be created in the Session Hosts OU.

2. Right-click the appropriate container, and then select Create a GPO in this
domain, and Link it here.

3. In the New GPO dialog box, type a name for the new Group Policy object in the
Name box, and then select OK.

4. Right-click the newly created policy, and then select Edit.

5. In the Group Policy Management Editor, expand Computer Configuration, expand

Windows Settings, right-click Policy-based QoS, and then select Create new
policy.

6. In the Policy-based QoS dialog box, on the opening page, type a name for the
new policy in the Name box. Select Specify DSCP Value and set the value to 46.
Leave Specify Outbound Throttle Rate unselected, and then select Next.

7. On the next page, select Only applications with this executable name and enter
the name svchost.exe, and then select Next. This setting instructs the policy to
only prioritize matching traffic from the Remote Desktop Service.

8. On the third page, make sure that both Any source IP address and Any
destination IP address are selected, and then select Next. These two settings
ensure that packets will be managed regardless of which computer (IP address)
sent the packets and which computer (IP address) will receive the packets.

9. On page four, select UDP from the Select the protocol this QoS policy applies to
drop-down list.

10. Under the heading Specify the source port number, select From this source port
or range. In the accompanying text box, type 3390. Select Finish.

The new policies you've created won't take effect until Group Policy has been refreshed
on your session host computers. Although Group Policy periodically refreshes on its
own, you can force an immediate refresh by following these steps:
 1. On each session host for which you want to refresh Group Policy, open a
Command Prompt as administrator (Run as administrator).

2. At the command prompt, enter

Console

gpupdate /force

Implement QoS on session host using PowerShell

You can set QoS for RDP Shortpath for managed networks using the PowerShell cmdlet
below:

PowerShell

New-NetQosPolicy -Name "RDP Shortpath for managed networks" -

AppPathNameMatchCondition "svchost.exe" -IPProtocolMatchCondition UDP -
IPSrcPortStartMatchCondition 3390 -IPSrcPortEndMatchCondition 3390 -
DSCPAction 46 -NetworkProfile All

Related articles
Quality of Service (QoS) Policy

Next steps
To learn about bandwidth requirements for Azure Virtual Desktop, see
Understanding Remote Desktop Protocol (RDP) Bandwidth Requirements for Azure
Virtual Desktop.
To learn about Azure Virtual Desktop network connectivity, see Understanding
Azure Virtual Desktop network connectivity.
Azure Private Link with Azure Virtual
Desktop
Article • 06/24/2024

You can use Azure Private Link with Azure Virtual Desktop to privately connect to your
remote resources. By creating a private endpoint, traffic between your virtual network
and the service remains on the Microsoft network, so you no longer need to expose
your service to the public internet. You also use a VPN or ExpressRoute for your users
with the Remote Desktop client to connect to the virtual network. Keeping traffic within
the Microsoft network improves security and keeps your data safe. This article describes
how Private Link can help you secure your Azure Virtual Desktop environment.

How does Private Link work with Azure Virtual

Desktop?
Azure Virtual Desktop has three workflows with three corresponding resource types to
use with private endpoints. These workflows are:

1. Initial feed discovery: lets the client discover all workspaces assigned to a user. To
enable this process, you must create a single private endpoint to the global sub-
resource to any workspace. However, you can only create one private endpoint in
your entire Azure Virtual Desktop deployment. This endpoint creates Domain
Name System (DNS) entries and private IP routes for the global fully qualified
domain name (FQDN) needed for initial feed discovery. This connection becomes a
single, shared route for all clients to use.

2. Feed download: the client downloads all connection details for a specific user for
the workspaces that host their application groups. You create a private endpoint
for the feed sub-resource for each workspace you want to use with Private Link.

3. Connections to host pools: every connection to a host pool has two sides - clients
and session hosts. You need to create a private endpoint for the connection sub-
resource for each host pool you want to use with Private Link.

The following high-level diagram shows how Private Link securely connects a local client
to the Azure Virtual Desktop service. For more detailed information about client
connections, see Client connection sequence.
Supported scenarios
When adding Private Link with Azure Virtual Desktop, you have the following supported
scenarios to connect to Azure Virtual Desktop. Which scenario you choose depends on
your requirements. You can either share these private endpoints across your network
topology or you can isolate your virtual networks so that each has their own private
endpoint to the host pool or workspace.

1. All parts of the connection - initial feed discovery, feed download, and remote
session connections for clients and session hosts - use private routes. You need the
following private endpoints:

ﾉ Expand table

Purpose Resource type Target Endpoint

sub- quantity
resource

Connections Microsoft.DesktopVirtualization/hostpools connection One per host

to host pool
pools

Feed Microsoft.DesktopVirtualization/workspaces feed One per

download workspace

Initial feed Microsoft.DesktopVirtualization/workspaces global Only one for

discovery all your Azure
Virtual
Desktop
deployments

2. Feed download and remote session connections for clients and session hosts use
private routes, but initial feed discovery uses public routes. You need the following
private endpoints. The endpoint for initial feed discovery isn't required.
 ﾉ Expand table

Purpose Resource type Target sub- Endpoint

resource quantity

Connections Microsoft.DesktopVirtualization/hostpools connection One per

to host pools host pool

Feed Microsoft.DesktopVirtualization/workspaces feed One per

download workspace

3. Only remote session connections for clients and session hosts use private routes,
but initial feed discovery and feed download use public routes. You need the
following private endpoint(s). Endpoints to workspaces aren't required.

ﾉ Expand table

Purpose Resource type Target sub- Endpoint

resource quantity

Connections to Microsoft.DesktopVirtualization/hostpools connection One per

host pools host pool

4. Both clients and session host VMs use public routes. Private Link isn't used in this
scenario.

） Important

If you create a private endpoint for initial feed discovery, the workspace used
for the global sub-resource governs the shared Fully Qualified Domain Name
(FQDN), facilitating the initial discovery of feeds across all workspaces. You
should create a separate workspace that is only used for this purpose and
doesn't have any application groups registered to it. Deleting this workspace
will cause all feed discovery processes to stop working.

You can't control access to the workspace used for the initial feed discovery
(global sub-resource). If you configure this workspace to only allow private
access, the setting is ignored. This workspace is always accessible from public
routes.

IP address allocations are subject to change as the demand for IP addresses

increases. During capacity expansions, additional addresses are needed for
private endpoints. It's important you consider potential address space
 exhaustion and ensure sufficient headroom for growth. For more information
on determining the appropriate network configuration for private endpoints
in either a hub or a spoke topology, see Decision tree for Private Link
deployment.

Configuration outcomes
You configure settings on the relevant Azure Virtual Desktop workspaces and host pools
to set public or private access. For connections to a workspace, except the workspace
used for initial feed discovery (global sub-resource), the following table details the
outcome of each scenario:

ﾉ Expand table

Configuration Outcome

Public access enabled from all Workspace feed requests are allowed from public
networks routes.

Workspace feed requests are allowed from private

routes.

Public access disabled from all Workspace feed requests are denied from public routes.
networks
Workspace feed requests are allowed from private
routes.

With the reverse connect transport, there are two network connections for connections
to host pools: the client to the gateway, and the session host to the gateway. In addition
to enabling or disabling public access for both connections, you can also choose to
enable public access for clients connecting to the gateway and only allow private access
for session hosts connecting to the gateway. The following table details the outcome of
each scenario:

ﾉ Expand table

Configuration Outcome

Public access enabled from all networks Remote sessions are allowed when either the client or
session host is using a public route.

Remote sessions are allowed when either the client or

session host is using a private route.
 Configuration Outcome

Public access disabled from all networks Remote sessions are denied when either the client or
session host is using a public route.

Remote sessions are allowed when both the client and

session host are using a private route.

Public access enabled for client Remote sessions are denied if the session host is
networks, but disabled for session host using a public route, regardless of the route the client
networks is using.

Remote sessions are allowed as long as the session

host is using a private route, regardless of the route
the client is using.

Client connection sequence

When a user connects to Azure Virtual Desktop over Private Link, and Azure Virtual
Desktop is configured to only allow client connections from private routes, the
connection sequence is as follows:

1. With a supported client, a user subscribes to a workspace. The user's device

queries DNS for the address rdweb.wvd.microsoft.com (or the corresponding
address for other Azure environments).

2. Your private DNS zone for privatelink-global.wvd.microsoft.com returns the

private IP address for the initial feed discovery (global sub-resource). If you're not
using a private endpoint for initial feed discovery, a public IP address is returned.

3. For each workspace in the feed, a DNS query is made for the address
<workspaceId>.privatelink.wvd.microsoft.com .

4. Your private DNS zone for privatelink.wvd.microsoft.com returns the private IP

address for the workspace feed download, and downloads the feed using TCP port
443.

5. When connecting to a remote session, the .rdp file that comes from the
workspace feed download contains the address for the Azure Virtual Desktop
gateway service with the lowest latency for the user's device. A DNS query is made
to an address in the format <hostpooId>.afdfp-rdgateway.wvd.microsoft.com .

6. Your private DNS zone for privatelink.wvd.microsoft.com returns the private IP

address for the Azure Virtual Desktop gateway service to use for the host pool
 providing the remote session. Orchestration through the virtual network and the
private endpoint uses TCP port 443.

7. Following orchestration, the network traffic between the client, Azure Virtual
Desktop gateway service, and session host is transferred over to a port in the TCP
dynamic port range of 1 - 65535.

） Important

If you intend to restrict network ports from either the user client devices or your
session host VMs to the private endpoints, you will need to allow traffic across the
entire TCP dynamic port range of 1 - 65535 to the private endpoint for the host
pool resource using the connection sub-resource. The entire TCP dynamic port
range is needed because Azure private networking internally maps these ports to
the appropriate gateway that was selected during client orchestration. If you
restrict ports to the private endpoint, your users may not be able to connect to
Azure Virtual Desktop.

Known issues and limitations

Private Link with Azure Virtual Desktop has the following limitations:

Before you use Private Link for Azure Virtual Desktop, you need to enable Private
Link with Azure Virtual Desktop on each Azure subscription you want to Private
Link with Azure Virtual Desktop.

All Remote Desktop clients to connect to Azure Virtual Desktop can be used with
Private Link. If you're using the Remote Desktop client for Windows on a private
network without internet access and you're subscribed to both public and private
feeds, you aren't able to access your feed.

After you've changed a private endpoint to a host pool, you must restart the
Remote Desktop Agent Loader (RDAgentBootLoader) service on each session host in
the host pool. You also need to restart this service whenever you change a host
pool's network configuration. Instead of restarting the service, you can restart each
session host.

Using both Private Link and

Using both Private Link and RDP Shortpath for managed networks isn't supported,
but they can work together. You can use Private Link and RDP Shortpath for
 managed networks at your own risk. All other RDP Shortpath options using STUN
or TURN aren't supported with Private Link.

Early in the preview of Private Link with Azure Virtual Desktop, the private endpoint
for the initial feed discovery (for the global sub-resource) shared the private DNS
zone name of privatelink.wvd.microsoft.com with other private endpoints for
workspaces and host pools. In this configuration, users are unable to establish
private endpoints exclusively for host pools and workspaces. Starting September 1,
2023, sharing the private DNS zone in this configuration will no longer be
supported. You need to create a new private endpoint for the global sub-resource
to use the private DNS zone name of privatelink-global.wvd.microsoft.com . For
the steps to do this, see Initial feed discovery.

Next steps
Learn how to Set up Private Link with Azure Virtual Desktop.
Learn how to configure Azure Private Endpoint DNS at Private Link DNS
integration.
For general troubleshooting guides for Private Link, see Troubleshoot Azure Private
Endpoint connectivity problems.
Understand Azure Virtual Desktop network connectivity.
See the Required URL list for the list of URLs you need to unblock to ensure
network access to the Azure Virtual Desktop service.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Set up Private Link with Azure Virtual
Desktop
Article • 04/19/2024

This article shows you how to set up Private Link with Azure Virtual Desktop to privately
connect to your remote resources. For more information about using Private Link with
Azure Virtual Desktop, including limitations, see Azure Private Link with Azure Virtual
Desktop.

Prerequisites
In order to use Private Link with Azure Virtual Desktop, you need the following things:

An existing host pool with session hosts, an application group, and workspace.

An existing virtual network and subnet you want to use for private endpoints.

The required Azure role-based access control permissions to create private

endpoints.

If you're using the Remote Desktop client for Windows, you must use version
1.2.4066 or later to connect using a private endpoint.

If you want to use Azure CLI or Azure PowerShell locally, see Use Azure CLI and
Azure PowerShell with Azure Virtual Desktop to make sure you have the
desktopvirtualization Azure CLI extension or the Az.DesktopVirtualization
PowerShell module installed. Alternatively, use the Azure Cloud Shell.

Azure PowerShell cmdlets for Azure Virtual Desktop that support Private Link are in
preview. You'll need to download and install the preview version of the
Az.DesktopVirtualization module to use these cmdlets, which have been added in
version 5.0.0.

Enable Private Link with Azure Virtual Desktop

on a subscription
To use Private Link with Azure Virtual Desktop, you need to re-register the
Microsoft.DesktopVirtualization resource provider on each subscription you want to use
Private Link with Azure Virtual Desktop.
 ） Important

For Azure for US Government and Azure operated by 21Vianet, you also need to
register the feature for each subscription.

Register Private Link with Azure Virtual Desktop (Azure

for US Government and Azure operated by 21Vianet only)
To register the Azure Virtual Desktop Private Link feature:

1. Sign in to the Azure portal .

2. In the search bar, enter Subscriptions and select the matching service entry.

3. Select the name of your subscription, then in the Settings section, select Preview
features.

4. Select the drop-down list for the filter Type and set it to
Microsoft.DesktopVirtualization.

5. Select Azure Virtual Desktop Private Link, then select Register.

Re-register the resource provider

To re-register the Microsoft.DesktopVirtualization resource provider:

1. Sign in to the Azure portal .

2. In the search bar, enter Subscriptions and select the matching service entry.

3. Select the name of your subscription, then in the section Settings, select Resource
providers.

4. Search for and select Microsoft.DesktopVirtualization, then select Re-register.

5. Verify that the status of Microsoft.DesktopVirtualization is Registered.

Create private endpoints

During the setup process, you create private endpoints to the following resources,
depending on your scenario.
1. Both clients and session host VMs use private routes. You need the following
private endpoints:

ﾉ Expand table

Purpose Resource type Target Endpoint IP

sub- quantity address
resource quantity

Connections Microsoft.DesktopVirtualization/hostpools connection One per host Four per

to host pool endpoint
pools

Feed Microsoft.DesktopVirtualization/workspaces feed One per Two per

download workspace endpoint

Initial feed Microsoft.DesktopVirtualization/workspaces global Only one for One per

discovery all your endpoint
Azure
Virtual
Desktop
deployments

2. Clients use public routes while session host VMs use private routes. You need the
following private endpoints. Endpoints to workspaces aren't required.

ﾉ Expand table

Purpose Resource type Target Endpoint IP

sub- quantity address
resource quantity

Connections Microsoft.DesktopVirtualization/hostpools connection One per Four per

to host host pool endpoint
pools

） Important

IP address allocations are subject to change as the demand for IP addresses

increases. During capacity expansions, additional addresses are needed for private
endpoints. It's important you consider potential address space exhaustion and
ensure sufficient headroom for growth. For more information on determining the
appropriate network configuration for private endpoints in either a hub or a spoke
topology, see Decision tree for Private Link deployment.
Connections to host pools
To create a private endpoint for the connection sub-resource for connections to a host
pool, select the relevant tab for your scenario and follow the steps.

Portal

Here's how to create a private endpoint for the connection sub-resource for
connections to a host pool using the Azure portal.

1. Sign in to the Azure portal .

2. In the search bar, type Azure Virtual Desktop and select the matching service
entry to go to the Azure Virtual Desktop overview.

3. Select Host pools, then select the name of the host pool for which you want to
create a connection sub-resource.

4. From the host pool overview, select Networking, then Private endpoint
connections, and finally New private endpoint.

5. On the Basics tab, complete the following information:

ﾉ Expand table

Parameter Value/Description

Subscription Select the subscription you want to create the private endpoint in
from the drop-down list.

Resource This automatically defaults to the same resource group as your

group workspace for the private endpoint, but you can also select an
alternative existing one from the drop-down list, or create a new
one.

Name Enter a name for the new private endpoint.

Network The network interface name fills in automatically based on the name
interface name you gave the private endpoint, but you can also specify a different
name.

Region This automatically defaults to the same Azure region as the

workspace and is where the private endpoint is deployed. This must
be the same region as your virtual network and session hosts.

Once you've completed this tab, select Next: Resource.

 6. On the Resource tab, validate the values for Subscription, Resource type, and
Resource, then for Target sub-resource, select connection. Once you've
completed this tab, select Next: Virtual Network.

7. On the Virtual Network tab, complete the following information:

ﾉ Expand table

Parameter Value/Description

Virtual network Select the virtual network you want to create the private
endpoint in from the drop-down list.

Subnet Select the subnet of the virtual network you want to create the
private endpoint in from the drop-down list.

Network policy for Select edit if you want to choose a subnet network policy. For
private endpoints more information, see Manage network policies for private
endpoints.

Private IP Select Dynamically allocate IP address or Statically allocate IP

configuration address. The address space is from the subnet you selected.

If you choose to statically allocate IP addresses, you need to fill

in the Name and Private IP for each listed member.

Application security Optional: select an existing application security group for the
group private endpoint from the drop-down list, or create a new one.
You can also add one later.

Once you've completed this tab, select Next: DNS.

8. On the DNS tab, choose whether you want to use Azure Private DNS Zone by
selecting Yes or No for Integrate with private DNS zone. If you select Yes,
select the subscription and resource group in which to create the private DNS
zone privatelink.wvd.microsoft.com . For more information, see Azure Private
Endpoint DNS configuration.

Once you've completed this tab, select Next: Tags.

9. Optional: On the Tags tab, you can enter any name/value pairs you need, then
select Next: Review + create.

10. On the Review + create tab, ensure validation passes and review the
information that is used during deployment.

11. Select Create to create the private endpoint for the connection sub-resource.
 ） Important

You need to create a private endpoint for the connection sub-resource for each
host pool you want to use with Private Link.

Feed download
To create a private endpoint for the feed sub-resource for a workspace, select the
relevant tab for your scenario and follow the steps.

Portal

1. From the Azure Virtual Desktop overview, select Workspaces, then select the
name of the workspace for which you want to create a feed sub-resource.

2. From the workspace overview, select Networking, then Private endpoint

connections, and finally New private endpoint.

3. On the Basics tab, complete the following information:

ﾉ Expand table

Parameter Value/Description

Subscription Select the subscription you want to create the private endpoint in
from the drop-down list.

Resource This automatically defaults to the same resource group as your

group workspace for the private endpoint, but you can also select an
alternative existing one from the drop-down list, or create a new
one.

Name Enter a name for the new private endpoint.

Network The network interface name fills in automatically based on the name
interface name you gave the private endpoint, but you can also specify a different
name.

Region This automatically defaults to the same Azure region as the

workspace and is where the private endpoint is deployed. This must
be the same region as your virtual network.

Once you've completed this tab, select Next: Resource.

4. On the Resource tab, validate the values for Subscription, Resource type, and
Resource, then for Target sub-resource, select feed. Once you've completed
this tab, select Next: Virtual Network.

5. On the Virtual Network tab, complete the following information:

ﾉ Expand table

Parameter Value/Description

Virtual network Select the virtual network you want to create the private
endpoint in from the drop-down list.

Subnet Select the subnet of the virtual network you want to create the
private endpoint in from the drop-down list.

Network policy for Select edit if you want to choose a subnet network policy. For
private endpoints more information, see Manage network policies for private
endpoints.

Private IP Select Dynamically allocate IP address or Statically allocate IP

configuration address. The address space is from the subnet you selected.

If you choose to statically allocate IP addresses, you need to fill

in the Name and Private IP for each listed member.

Application security Optional: select an existing application security group for the
group private endpoint from the drop-down list, or create a new one.
You can also add one later.

Once you've completed this tab, select Next: DNS.

6. On the DNS tab, choose whether you want to use Azure Private DNS Zone by
selecting Yes or No for Integrate with private DNS zone. If you select Yes,
select the subscription and resource group in which to create the private DNS
zone privatelink.wvd.microsoft.com . For more information, see Azure Private
Endpoint DNS configuration.

Once you've completed this tab, select Next: Tags.

7. Optional: On the Tags tab, you can enter any name/value pairs you need, then
select Next: Review + create.

8. On the Review + create tab, ensure validation passes and review the
information that is used during deployment.

9. Select Create to create the private endpoint for the feed sub-resource.
 ） Important

You need to a create private endpoint for the feed sub-resource for each workspace
you want to use with Private Link.

Initial feed discovery

To create a private endpoint for the global sub-resource used for the initial feed
discovery, select the relevant tab for your scenario and follow the steps.

） Important

Only create one private endpoint for the global sub-resource for all your Azure
Virtual Desktop deployments.

A private endpoint to the global sub-resource of any workspace controls the

shared fully qualified domain name (FQDN) for initial feed discovery. This in
turn enables feed discovery for all workspaces. Because the workspace
connected to the private endpoint is so important, deleting it will cause all
feed discovery processes to stop working. We recommend you create an
unused placeholder workspace for the global sub-resource.

Portal

1. From the Azure Virtual Desktop overview, select Workspaces, then select the
name of a workspace you want to use for the global sub-resource.
a. Optional: Instead, create a placeholder workspace to terminate the global
endpoint by following the instructions to Create a workspace.

2. From the workspace overview, select Networking, then Private endpoint

connections, and finally New private endpoint.

3. On the Basics tab, complete the following information:

ﾉ Expand table
 Parameter Value/Description

Subscription Select the subscription you want to create the private endpoint in
from the drop-down list.

Resource This automatically defaults to the same resource group as your

group workspace for the private endpoint, but you can also select an
alternative existing one from the drop-down list, or create a new
one.

Name Enter a name for the new private endpoint.

Network The network interface name fills in automatically based on the name
interface name you gave the private endpoint, but you can also specify a different
name.

Region This automatically defaults to the same Azure region as the

workspace and is where the private endpoint will be deployed. This
must be the same region as your virtual network.

Once you've completed this tab, select Next: Resource.

4. On the Resource tab, validate the values for Subscription, Resource type, and
Resource, then for Target sub-resource, select global. Once you've completed
this tab, select Next: Virtual Network.

5. On the Virtual Network tab, complete the following information:

ﾉ Expand table

Parameter Value/Description

Virtual network Select the virtual network you want to create the private
endpoint in from the drop-down list.

Subnet Select the subnet of the virtual network you want to create the
private endpoint in from the drop-down list.

Network policy for Select edit if you want to choose a subnet network policy. For
private endpoints more information, see Manage network policies for private
endpoints.

Private IP Select Dynamically allocate IP address or Statically allocate IP

configuration address. The address space is from the subnet you selected.

If you choose to statically allocate IP addresses, you need to fill

in the Name and Private IP for each listed member.

Application security Optional: select an existing application security group for the
group private endpoint from the drop-down list, or create a new one.
 Parameter Value/Description

You can also add one later.

Once you've completed this tab, select Next: DNS.

6. On the DNS tab, choose whether you want to use Azure Private DNS Zone by
selecting Yes or No for Integrate with private DNS zone. If you select Yes,
select the subscription and resource group in which to create the private DNS
zone privatelink-global.wvd.microsoft.com . For more information, see Azure
Private Endpoint DNS configuration.

Once you've completed this tab, select Next: Tags.

7. Optional: On the Tags tab, you can enter any name/value pairs you need, then
select Next: Review + create.

8. On the Review + create tab, ensure validation passes and review the
information that is used during deployment.

9. Select Create to create the private endpoint for the global sub-resource.

Closing public routes

Once you've created private endpoints, you can also control if traffic is allowed to come
from public routes. You can control this at a granular level using Azure Virtual Desktop,
or more broadly using a network security group (NSG) or Azure Firewall.

Control routes with Azure Virtual Desktop

With Azure Virtual Desktop, you can independently control public traffic for workspaces
and host pools. Select the relevant tab for your scenario and follow the steps. You can't
configure this in Azure CLI. You need to repeat these steps for each workspace and host
pool you use with Private Link.

Portal

Workspaces
1. From the Azure Virtual Desktop overview, select Workspaces, then select the
name of the workspace to control public traffic.
 2. From the host pool overview, select Networking, then select the Public access
tab.

3. Select one of the following options:

ﾉ Expand table

Setting Description

Enable public access from all End users can access the feed over the public
networks internet or the private endpoints.

Disable public access and use End users can only access the feed over the private
private access endpoints.

4. Select Save.

Host pools
1. From the Azure Virtual Desktop overview, select Host pools, then select the
name of the host pool to control public traffic.

2. From the host pool overview, select Networking, then select the Public access
tab.

3. Select one of the following options:

ﾉ Expand table

Setting Description

Enable public access from all End users can access the feed and session hosts
networks securely over the public internet or the private
endpoints.

Enable public access for end End users can access the feed securely over the
users, use private access for public internet but must use private endpoints to
session hosts access session hosts.

Disable public access and use End users can only access the feed and session
private access hosts over the private endpoints.

4. Select Save.

） Important
 Changing access for session hosts won't affect existing sessions. After you've
changed a private endpoint to a host pool, you must restart the Remote Desktop
Agent Loader (RDAgentBootLoader) service on each session host in the host pool.
You also need to restart this service whenever you change a host pool's network
configuration. Instead of restarting the service, you can restart each session host.

Block public routes with network security groups or Azure

Firewall
If you're using network security groups or Azure Firewall to control connections from
user client devices or your session hosts to the private endpoints, you can use the
WindowsVirtualDesktop service tag to block traffic from the public internet. If you block
public internet traffic using this service tag, all service traffic uses private routes only.

Ｕ Caution

Make sure you don't block traffic between your private endpoints and the
addresses in the required URL list.

Don't block certain ports from either the user client devices or your session
hosts to the private endpoint for a host pool resource using the connection
sub-resource. The entire TCP dynamic port range of 1 - 65535 to the private
endpoint is needed because port mapping is used to all global gateways
through the single private endpoint IP address corresponding to the
connection sub-resource. If you restrict ports to the private endpoint, your
users may not be able to connect successfully to Azure Virtual Desktop.

Validate Private Link with Azure Virtual Desktop

Once you've closed public routes, you should validate that Private Link with Azure Virtual
Desktop is working. You can do this by checking the connection state of each private
endpoint, the status of your session hosts, and testing your users can refresh and
connect to their remote resources.

Check the connection state of each private endpoint

To check the connection state of each private endpoint, select the relevant tab for your
scenario and follow the steps. You should repeat these steps for each workspace and
host pool you use with Private Link.

Portal

Workspaces

1. From the Azure Virtual Desktop overview, select Workspaces, then select the
name of the workspace for which you want to check the connection state.

2. From the workspace overview, select Networking, then Private endpoint

connections.

3. For the private endpoint listed, check the Connection state is Approved.

Host pools
1. From the Azure Virtual Desktop overview, select Host pools, then select the
name of the host pool for which you want to check the connection state.

2. From the host pool overview, select Networking, then Private endpoint
connections.

3. For the private endpoint listed, check the Connection state is Approved.

Check the status of your session hosts

1. Check the status of your session hosts in Azure Virtual Desktop.

a. From the Azure Virtual Desktop overview, select Host pools, then select the
name of the host pool.

b. In the Manage section, select Session hosts.

c. Review the list of session hosts and check their status is Available.

Check your users can connect

To test that your users can connect to their remote resources:

1. Use the Remote Desktop client and make sure you can subscribe to and refresh
workspaces.
 2. Finally, make sure your users can connect to a remote session.

Next steps
Learn more about how Private Link for Azure Virtual Desktop at Use Private Link
with Azure Virtual Desktop.

Learn how to configure Azure Private Endpoint DNS at Private Link DNS
integration.

For general troubleshooting guides for Private Link, see Troubleshoot Azure Private
Endpoint connectivity problems.

Understand how connectivity for the Azure Virtual Desktop service works atAzure
Virtual Desktop network connectivity.

See the Required URL list for the list of URLs you need to unblock to ensure
network access to the Azure Virtual Desktop service.
Proxy server guidelines for Azure Virtual
Desktop
Article • 06/29/2023

This article will show you how to use a proxy server with Azure Virtual Desktop. The
recommendations in this article only apply to connections between Azure Virtual
Desktop infrastructure, client, and session host agents. This article doesn't cover network
connectivity for Office, Windows 10, FSLogix, or other Microsoft applications.

What are proxy servers?

We recommend bypassing proxies for Azure Virtual Desktop traffic. Proxies don't make
Azure Virtual Desktop more secure because the traffic is already encrypted. To learn
more about connection security, see Connection security.

Most proxy servers aren't designed for supporting long running WebSocket connections
and may affect connection stability. Proxy server scalability also causes issues because
Azure Virtual Desktop uses multiple long-term connections. If you do use proxy servers,
they must be the right size to run these connections.

If the proxy server's geography is far from the host, then this distance will cause more
latency in your user connections. More latency means slower connection time and worse
user experience, especially in scenarios that need graphics, audio, or low-latency
interactions with input devices. If you must use a proxy server, keep in mind that you
need to place the server in the same geography as the Azure Virtual Desktop Agent and
client.

If you configure your proxy server as the only path for Azure Virtual Desktop traffic to
take, the Remote Desktop Protocol (RDP) data will be forced over Transmission Control
Protocol (TCP) instead of User Datagram Protocol (UDP). This move lowers the visual
quality and responsiveness of the remote connection.

In summary, we don't recommend using proxy servers on Azure Virtual Desktop because
they cause performance-related issues from latency degradation and packet loss.

Bypassing a proxy server

If your organization's network and security policies require proxy servers for web traffic,
you can configure your environment to bypass Azure Virtual Desktop connections while
still routing the traffic through the proxy server. However, each organization's policies
are unique, so some methods may work better for your deployment than others. Here
are some configuration methods you can try to prevent performance and reliability loss
in your environment:

Azure service tags with Azure Firewall

Proxy server bypass using Proxy Auto Configuration ( .PAC ) files
Bypass list in the local proxy configuration
Using proxy servers for per-user configuration
Using RDP Shortpath for the RDP connection while keeping the service traffic over
the proxy

Recommendations for using proxy servers

Some organizations require that all user traffic goes through a proxy server for tracking
or packet inspection. This section describes how we recommend configuring your
environment in these cases.

Use proxy servers in the same Azure geography

When you use a proxy server, it handles all communication with the Azure Virtual
Desktop infrastructure and performs DNS resolution and Anycast routing to the nearest
Azure Front Door. If your proxy servers are distant or distributed across an Azure
geography, your geographical resolution will be less accurate. Less accurate
geographical resolution means connections will be routed to a more distant Azure
Virtual Desktop cluster. To avoid this issue, only use proxy servers that are
geographically close to your Azure Virtual Desktop cluster.

Use RDP Shortpath for managed networks for desktop

connectivity
When you enable RDP Shortpath for managed networks, RDP data will bypass the proxy
server, if possible. Bypassing the proxy server ensures optimal routing while using the
UDP transport. Other Azure Virtual Desktop traffic, such as brokering, orchestration, and
diagnostics will still go through the proxy server.

Don't use SSL termination on the proxy server

Secure Sockets Layer (SSL) termination replaces security certificates of the Azure Virtual
Desktop components with certificates generated by proxy server. This proxy server
feature enables packet inspection for HTTPS traffic on the proxy server. However, packet
inspection also increases the service response time, making it take longer for users to
sign in. For reverse-connect scenarios, RDP traffic packet inspection isn't necessary
because reverse-connect RDP traffic is binary and uses extra levels of encryption.

If you configure your proxy server to use SSL inspection, remember that you can't revert
your server to its original state after the SSL inspection makes changes. If something in
your Azure Virtual Desktop environment stops working while you have SSL inspection
enabled, you must disable SSL inspection and try again before you open a support case.
SSL inspection can also cause the Azure Virtual Desktop agent to stop working because
it interferes with trusted connections between the agent and the service.

Don't use proxy servers that need authentication

Azure Virtual Desktop components on the session host run in the context of their
operating system, so they don't support proxy servers that require authentication. If the
proxy server requires authentication, the connection will fail.

Plan for the proxy server network capacity

Proxy servers have capacity limits. Unlike regular HTTP traffic, RDP traffic has long
running, chatty connections that are bi-directional and consume lots of bandwidth.
Before you set up a proxy server, talk to your proxy server vendor about how much
throughput your server has. Also make sure to ask them how many proxy sessions you
can run at one time. After you deploy the proxy server, carefully monitor its resource use
for bottlenecks in Azure Virtual Desktop traffic.

Proxy servers and Microsoft Teams media optimization

Azure Virtual Desktop doesn't support proxy servers with media optimization for
Microsoft Teams.

Session host configuration recommendations

To configure a session host level proxy server, you need to enable a systemwide proxy.
Remember that systemwide configuration affects all OS components and applications
running on the session host. The following sections are recommendations for
configuring systemwide proxies.

Use the Web Proxy Auto-Discovery (WPAD) protocol

The Azure Virtual Desktop agent automatically tries to locate a proxy server on the
network using the Web Proxy Auto-Discovery (WPAD) protocol. During a location
attempt, the agent searches the domain name server (DNS) for a file named
wpad.domainsuffix. If the agent finds the file in the DNS, it makes an HTTP request for a
file named wpad.dat. The response becomes the proxy configuration script that chooses
the outbound proxy server.

To configure your network to use DNS resolution for WPAD, follow the instructions in
Auto detect settings Internet Explorer 11. Make sure the DNS server global query
blocklist allows the WPAD resolution by following the directions in Set-
DnsServerGlobalQueryBlockList.

Manually set a device-wide proxy for Windows services

If you're specifying a proxy server manually, at a minimum you will need to set a proxy
for the Windows services RDAgent and Remote Desktop Services on your session hosts.
RDAgent runs with the account Local System and Remote Desktop Services runs with the
account Network Service. You can set a proxy for these accounts using the bitsadmin
command-line tool.

The following example configures the Local System and Network Service accounts to
use a proxy .pac file . You'll need to run these commands from an elevated command
prompt, changing the placeholder value for <server> with your own address:

Windows Command Prompt

bitsadmin /util /setieproxy LOCALSYSTEM AUTOSCRIPT http://<server>/proxy.pac

bitsadmin /util /setieproxy NETWORKSERVICE AUTOSCRIPT
http://<server>/proxy.pac

For a full reference and other examples, see bitsadmin util and setieproxy.

You can also set a device-wide proxy or Proxy Auto Configuration (.PAC) file that applies
to all interactive, Local System, and Network Service users. If your session hosts are
enrolled with Intune, you can set a proxy with the Network Proxy CSP, however,
Windows multi-session client operating systems don't support Policy CSP as they only
support the settings catalog. Alternatively you can configure a device-wide proxy using
the netsh winhttp command. For a full reference and examples, see Netsh Commands
for Windows Hypertext Transfer Protocol (WINHTTP)

Client-side proxy support

The Azure Virtual Desktop client supports proxy servers configured with system settings
or a Network Proxy CSP.

Azure Virtual Desktop client support

The following table shows which Azure Virtual Desktop clients support proxy servers:

Client name Proxy server support

Windows Desktop Yes

Web client Yes

Android No

iOS Yes

macOS Yes

Windows Store Yes

For more information about proxy support on Linux based thin clients, see Thin client
support.

Support limitations
There are many third-party services and applications that act as a proxy server. These
third-party services include distributed next-gen firewalls, web security systems, and
basic proxy servers. We can't guarantee that every configuration is compatible with
Azure Virtual Desktop. Microsoft only provides limited support for connections
established over a proxy server. If you're experiencing connectivity issues while using a
proxy server, Microsoft support recommends you configure a proxy bypass and then try
to reproduce the issue.

Next steps
For more information about keeping your Azure Virtual Desktop deployment secure,
check out our security guide.
Use Azure Firewall to protect Azure
Virtual Desktop deployments
Article • 04/23/2024

Azure Virtual Desktop is a cloud virtual desktop infrastructure (VDI) service that runs on
Azure. When an end user connects to Azure Virtual Desktop, their session comes from a
session host in a host pool. A host pool is a collection of Azure virtual machines that
register to Azure Virtual Desktop as session hosts. These virtual machines run in your
virtual network and are subject to the virtual network security controls. They need
outbound internet access to the Azure Virtual Desktop service to operate properly and
might also need outbound internet access for end users. Azure Firewall can help you
lock down your environment and filter outbound traffic.

Follow the guidelines in this article to provide extra protection for your Azure Virtual
Desktop host pool using Azure Firewall.

Prerequisites
A deployed Azure Virtual Desktop environment and host pool. For more
information, see Deploy Azure Virtual Desktop.
An Azure Firewall deployed with at least one Firewall Manager Policy.
DNS and DNS Proxy enabled in the Firewall Policy to use FQDN in Network Rules.

To learn more about Azure Virtual Desktop terminology, see Azure Virtual Desktop
terminology.
Host pool outbound access to Azure Virtual
Desktop
The Azure virtual machines you create for Azure Virtual Desktop must have access to
several Fully Qualified Domain Names (FQDNs) to function properly. Azure Firewall uses
the Azure Virtual Desktop FQDN tag WindowsVirtualDesktop to simplify this
configuration. You'll need to create an Azure Firewall Policy and create Rule Collections
for Network Rules and Applications Rules. Give the Rule Collection a priority and an
allow or deny action.

You need to create rules for each of the required FQDNs and endpoints. The list is
available at Required FQDNs and endpoints for Azure Virtual Desktop. In order to
identify a specific host pool as Source, you can create an IP Group with each session host
to represent it.

） Important

We recommend that you don't use TLS inspection with Azure Virtual Desktop. For
more information, see the proxy server guidelines.

Azure Firewall Policy Sample

All the mandatory and optional rules mentioned above can be easily deployed in a
single Azure Firewall Policy using the template published at
https://github.com/Azure/RDS-Templates/tree/master/AzureFirewallPolicyForAVD .
Before deploying into production, we recommended reviewing all the network and
application rules defined, ensure alignment with Azure Virtual Desktop official
documentation and security requirements.

Host pool outbound access to the Internet

Depending on your organization needs, you might want to enable secure outbound
internet access for your end users. If the list of allowed destinations is well-defined (for
example, for Microsoft 365 access), you can use Azure Firewall application and network
rules to configure the required access. This routes end-user traffic directly to the internet
for best performance. If you need to allow network connectivity for Windows 365 or
Intune, see Network requirements for Windows 365 and Network endpoints for Intune.
If you want to filter outbound user internet traffic by using an existing on-premises
secure web gateway, you can configure web browsers or other applications running on
the Azure Virtual Desktop host pool with an explicit proxy configuration. For example,
see How to use Microsoft Edge command-line options to configure proxy settings.
These proxy settings only influence your end-user internet access, allowing the Azure
Virtual Desktop platform outbound traffic directly via Azure Firewall.

Control user access to the web

Admins can allow or deny user access to different website categories. Add a rule to your
Application Collection from your specific IP address to web categories you want to allow
or deny. Review all the web categories.

Next step
Learn more about Azure Virtual Desktop: What is Azure Virtual Desktop?
Get started with the Azure Virtual
Desktop Agent
Article • 05/15/2023

In the Azure Virtual Desktop Service framework, there are three main components: the
Remote Desktop client, the service, and the virtual machines. These virtual machines live
in the customer subscription where the Azure Virtual Desktop agent and agent
bootloader are installed. The agent acts as the intermediate communicator between the
service and the virtual machines, enabling connectivity. Therefore, if you're experiencing
any issues with the agent installation, update, or configuration, your virtual machines
won't be able to connect to the service. The agent bootloader is the executable that
loads the agent.

This article will give you a brief overview of the agent installation and update processes.

７ Note

This documentation is not for the FSLogix agent or the Remote Desktop Client
agent.

Initial installation process

The Azure Virtual Desktop agent is initially installed in one of two ways. If you provision
virtual machines (VMs) in the Azure portal and Azure Marketplace, the agent and agent
bootloader are automatically installed. If you provision VMs using PowerShell, you must
manually download the agent and agent bootloader .msi files when creating a Azure
Virtual Desktop host pool with PowerShell. Once the agent is installed, it installs the
Azure Virtual Desktop side-by-side stack and Geneva Monitoring agent. The side-by-
side stack component is required for users to securely establish reverse server-to-client
connections. The Geneva Monitoring agent monitors the health of the agent. All three
of these components are essential for end-to-end user connectivity to function properly.

） Important

To successfully install the Azure Virtual Desktop agent, side-by-side stack, and
Geneva Monitoring agent, you must unblock all the URLs listed in the Required
URL list. Unblocking these URLs is required to use the Azure Virtual Desktop
service.
Agent update process
The Azure Virtual Desktop service updates the agent whenever an update becomes
available. Agent updates can include new functionality or fixes for previous issues. You
must always have the latest stable version of the agent installed so your VMs don't lose
connectivity or security. After you've installed the initial version of the Azure Virtual
Desktop agent, the agent will regularly query the Azure Virtual Desktop service to
determine if there’s a newer version of the agent, stack, or monitoring agent available. If
a newer version exists, the updated component is automatically installed by the flighting
system, unless you've configured the Scheduled Agent Updates feature. If you've
already configured the Scheduled Agent Updates feature, the agent will only install the
updated components during the maintenance window that you specify. For more
information, see Scheduled Agent Updates.

New versions of the agent are deployed at regular intervals in five-day periods to all
Azure subscriptions. These update periods are called "flights". It takes 24 hours for all
VMs in a single broker region to receive the agent update in a flight. Because of this,
when a flight happens, you may see VMs in your host pool receive the agent update at
different times. Also, if the VMs are in different regions, they might update on different
days in the five-day period. The flight will update all VM agents in all subscriptions by
the end of the deployment period. The Azure Virtual Desktop flighting system enhances
service reliability by ensuring the stability and quality of the agent update.

Other important things you should keep in mind:

The agent update isn't connected to Azure Virtual Desktop infrastructure build
updates. When the Azure Virtual Desktop infrastructure updates, that doesn't
mean that the agent has updated along with it.
Because VMs in your host pool may receive agent updates at different times, you'll
need to be able to tell the difference between flighting issues and failed agent
updates. If you go to the event logs for your VM at Event Viewer > Windows Logs
> Application and see an event labeled "ID 3277," that means the Agent update
didn't work. If you don't see that event, then the VM is in a different flight and will
be updated later. See Set up diagnostics to monitor agent updates for more
information about how to set up diagnostic logs to track updates and make sure
they've been installed correctly.
When the Geneva Monitoring agent updates to the latest version, the old
GenevaTask task is located and disabled before creating a new task for the new
monitoring agent. The earlier version of the monitoring agent isn't deleted in case
that the most recent version of the monitoring agent has a problem that requires
reverting to the earlier version to fix. If the latest version has a problem, the old
monitoring agent will be re-enabled to continue delivering monitoring data. All
 versions of the monitor that are earlier than the last one you installed before the
update will be deleted from your VM.
Your VM keeps three versions of the agent and of the side-by-side stack at a time.
This allows for quick recovery if something goes wrong with the update. The
earliest version of the agent or stack is removed from the VM whenever the agent
or stack updates. If you delete these components prematurely and the agent or
stack has a failure, the agent or stack won't be able to roll back to an earlier
version, which will put your VM in an unavailable state.

The agent update normally lasts 2-3 minutes on a new VM and shouldn't cause your VM
to lose connection or shut down. This update process applies to both Azure Virtual
Desktop (classic) and the latest version of Azure Virtual Desktop with Azure Resource
Manager.

Next steps
Now that you have a better understanding of the Azure Virtual Desktop agent, here are
some resources that might help you:

If you're experiencing agent or connectivity-related issues, check out the Azure

Virtual Desktop Agent issues troubleshooting guide.
To schedule agent updates, see the Scheduled Agent Updates document.
To set up diagnostics for this feature, see the Scheduled Agent Updates
Diagnostics guide.
To find information about the latest and previous agent versions, see the Agent
Updates version notes.
Microsoft Entra joined session hosts in
Azure Virtual Desktop
Article • 06/04/2024

This article will walk you through the process of deploying and accessing Microsoft
Entra joined virtual machines in Azure Virtual Desktop. Microsoft Entra joined VMs
remove the need to have line-of-sight from the VM to an on-premises or virtualized
Active Directory Domain Controller (DC) or to deploy Microsoft Entra Domain Services.
In some cases, it can remove the need for a DC entirely, simplifying the deployment and
management of the environment. These VMs can also be automatically enrolled in
Intune for ease of management.

Known limitations
The following known limitations may affect access to your on-premises or Active
Directory domain-joined resources and you should consider them when deciding
whether Microsoft Entra joined VMs are right for your environment.

Azure Virtual Desktop (classic) doesn't support Microsoft Entra joined VMs.
Microsoft Entra joined VMs don't currently support external identities, such as
Microsoft Entra Business-to-Business (B2B) and Microsoft Entra Business-to-
Consumer (B2C).
Microsoft Entra joined VMs can only access Azure Files shares or Azure NetApp
Files shares for hybrid users using Microsoft Entra Kerberos for FSLogix user
profiles.
The Remote Desktop Store app for Windows doesn't support Microsoft Entra
joined VMs.

Deploy Microsoft Entra joined VMs

You can deploy Microsoft Entra joined VMs directly from the Azure portal when you
create a new host pool or expand an existing host pool. To deploy a Microsoft Entra
joined VM, open the Virtual Machines tab, then select whether to join the VM to Active
Directory or Microsoft Entra ID. Selecting Microsoft Entra ID gives you the option to
enroll VMs with Intune automatically, which lets you easily manage your session hosts.
Keep in mind that the Microsoft Entra ID option will only join VMs to the same Microsoft
Entra tenant as the subscription you're in.
 ７ Note

Host pools should only contain VMs of the same domain join type. For
example, Microsoft Entra joined VMs should only be with other Microsoft
Entra joined VMs, and vice-versa.
The VMs in the host pool must be Windows 11 or Windows 10 single-session
or multi-session, version 2004 or later, or Windows Server 2022 or Windows
Server 2019.

Assign user access to host pools

After you've created your host pool, you must assign users access to their resources. To
grant access to resources, add each user to the application group. Follow the
instructions in Manage application groups to assign user access to apps and desktops.
We recommend that you use user groups instead of individual users wherever possible.

For Microsoft Entra joined VMs, you'll need to do two extra things on top of the
requirements for Active Directory or Microsoft Entra Domain Services-based
deployments:

Assign your users the Virtual Machine User Login role so they can sign in to the
VMs.
Assign administrators who need local administrative privileges the Virtual Machine
Administrator Login role.

To grant users access to Microsoft Entra joined VMs, you must configure role
assignments for the VM. You can assign the Virtual Machine User Login or Virtual
Machine Administrator Login role either on the VMs, the resource group containing the
VMs, or the subscription. We recommend assigning the Virtual Machine User Login role
to the same user group you used for the application group at the resource group level
to make it apply to all the VMs in the host pool.

Access Microsoft Entra joined VMs

This section explains how to access Microsoft Entra joined VMs from different Azure
Virtual Desktop clients.

Single sign-on
For the best experience across all platforms, you should enable a single sign-on
experience using Microsoft Entra authentication when accessing Microsoft Entra joined
VMs. Follow the steps to Configure single sign-on to provide a seamless connection
experience.

Connect using legacy authentication protocols

If you prefer not to enable single sign-on, you can use the following configuration to
enable access to Microsoft Entra joined VMs.

Connect using the Windows Desktop client

The default configuration supports connections from Windows 11 or Windows 10 using

the Windows Desktop client. You can use your credentials, smart card, Windows Hello
for Business certificate trust or Windows Hello for Business key trust with certificates to
sign in to the session host. However, to access the session host, your local PC must meet
one of the following conditions:

The local PC is Microsoft Entra joined to the same Microsoft Entra tenant as the
session host
The local PC is Microsoft Entra hybrid joined to the same Microsoft Entra tenant as
the session host
The local PC is running Windows 11 or Windows 10, version 2004 or later, and is
Microsoft Entra registered to the same Microsoft Entra tenant as the session host

If your local PC doesn't meet one of these conditions, add targetisaadjoined:i:1 as a

custom RDP property to the host pool. These connections are restricted to entering user
name and password credentials when signing in to the session host.

Connect using the other clients

To access Microsoft Entra joined VMs using the web, Android, macOS and iOS clients,
you must add targetisaadjoined:i:1 as a custom RDP property to the host pool. These
connections are restricted to entering user name and password credentials when
signing in to the session host.

Enforcing Microsoft Entra multifactor authentication for

Microsoft Entra joined session VMs
You can use Microsoft Entra multifactor authentication with Microsoft Entra joined VMs.
Follow the steps to Enforce Microsoft Entra multifactor authentication for Azure Virtual
Desktop using Conditional Access and note the extra steps for Microsoft Entra joined
session host VMs.

If you're using Microsoft Entra multifactor authentication and you don't want to restrict
signing in to strong authentication methods like Windows Hello for Business, you'll need
to exclude the Azure Windows VM Sign-In app from your Conditional Access policy.

User profiles
You can use FSLogix profile containers with Microsoft Entra joined VMs when you store
them on Azure Files or Azure NetApp Files while using hybrid user accounts. For more
information, see Create a profile container with Azure Files and Microsoft Entra ID.

Accessing on-premises resources

While you don't need an Active Directory to deploy or access your Microsoft Entra
joined VMs, an Active Directory and line-of-sight to it are needed to access on-premises
resources from those VMs. To learn more about accessing on-premises resources, see
How SSO to on-premises resources works on Microsoft Entra joined devices.

Next steps
Now that you've deployed some Microsoft Entra joined VMs, we recommend enabling
single sign-on before connecting with a supported Azure Virtual Desktop client to test it
as part of a user session. To learn more, check out these articles:

Configure single sign-on

Create a profile container with Azure Files and Microsoft Entra ID
Connect with the Windows Desktop client
Connect with the web client
Troubleshoot connections to Microsoft Entra joined VMs
Create a profile container with Azure NetApp Files
Custom image templates in Azure
Virtual Desktop
Article • 09/23/2024

Custom image templates in Azure Virtual Desktop enable you to easily create a custom
image that you can use when deploying session host virtual machines (VMs). Using
custom images helps you to standardize the configuration of your session host VMs for
your organization. Custom image templates are built on Azure Image Builder and
tailored for Azure Virtual Desktop.

Creation process
There are two parts to creating a custom image:

1. Create a custom image template that defines what should be in the resulting
image.

2. Build the image from that custom image template, by submitting the template to
Azure Image Builder.

A custom image template is a JSON file that contains your choices of source image,
distribution targets, build properties, and customizations. Azure Image Builder uses this
template to create a custom image, which you can use as the source image for your
session hosts when creating or updating a host pool. When creating the image, Azure
Image Builder also takes care of generalizing the image with sysprep.

Custom images can be stored in Azure Compute Gallery or as a managed image or

both. Azure Compute Gallery allows you to manage region replication, versioning, and
sharing of custom images. See Create a legacy managed image of a generalized VM in
Azure to review limitations for managed images.

The source image must be supported for Azure Virtual Desktop and can be from:

Azure Marketplace.
An existing Azure Compute Gallery shared image.
An existing managed image.
An existing custom image template.

We've added several built-in scripts available for you to use that configures some of the
most popular features and settings when using Azure Virtual Desktop. You can also add
your own custom scripts to the template, as long as they're hosted at a publicly
available location, such as GitHub or a web service. You need to specify a duration for
the build, so make sure you allow enough time for your scripts to complete. Built-in
scripts include restarts where needed.

Here are some examples of the built-in scripts you can add to a custom image template:

Install language packs.

Set the default language of the operating system.
Enable time zone redirection.
Disable Storage Sense .
Install FSLogix and configure Profile Container.
Enable FSLogix with Kerberos.
Enable RDP Shortpath for managed networks.
Enable screen capture protection.
Configure Teams optimizations. Optimizations include WebRTC redirector service
and Visual C++ Redistributable.
Configure session timeouts.
Disable automatic updates for MSIX applications.
Add or remove Microsoft Office applications.
Apply Windows Updates.

When the custom image is being created and distributed, Azure Image Builder uses a
user-assigned managed identity. Azure Image Builder uses this managed identity to
create several resources in your subscription, such as a resource group, a VM used to
build the image, Key Vault, and a storage account. The VM needs internet access to
download the built-in scripts or your own scripts that you added. The built-in scripts are
stored in the RDS-templates GitHub repository at https://github.com/Azure/RDS-
Templates .

You can choose whether you want the VM to connect to an existing virtual network and
subnet, which will enable the VM to have access to other resources you may have
available to that virtual network. If you don't specify an existing virtual network, a
temporary virtual network, subnet, and public IP address are created for use by the VM.
For more information on networking options, see Azure VM Image Builder networking
options.

Resources
A resource group is created when the custom image template is created. The default
name is in the format IT_<ResourceGroupName>_<TemplateName>_<GUID> and stores the
resources required during the build. Most of these resources are temporary and are
deleted after the build is complete, except the storage account.
In the storage account, up to three containers are created:

shell is where customization scripts are stored, if you include any customization
scripts in your custom image template.

packerlogs has one or more folders named with a GUID, which contain a file called
customization.log. This file contains all the outputs from the Hashicorp Packer
service that Azure Image Builder uses. These outputs can be downloaded at any
time to review the progress, errors and completion status.

vhds temporarily stores the resulting virtual hard disk (VHD) file before being
stored as a managed image or in Azure Compute Gallery.

The resource group IT_<ResourceGroupName>_<TemplateName>_<GUID> associated with

your template can be deleted after the custom image has been created successfully,
providing you don't need the logs. The resource group is also deleted if you delete the
resource group containing your image.

Next steps
Learn how to Create Custom image templates and custom images in Azure Virtual
Desktop.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Use custom image templates to create
custom images in Azure Virtual Desktop
Article • 01/24/2024

Custom image templates in Azure Virtual Desktop enable you to easily create a custom
image that you can use when deploying session host virtual machines (VMs). Using
custom images helps you to standardize the configuration of your session host VMs for
your organization. Custom image templates are built on Azure Image Builder and
tailored for Azure Virtual Desktop.

This article shows you how to create a custom image template, then create a custom
image using that template. For more information, see Custom image templates.

Prerequisites
Before you can create a custom image template, you need to meet the following
prerequisites:

The following resource providers registered on your subscription. For information

on how you can check their registration status and how to register them if needed,
see Azure resource providers and types.
Microsoft.DesktopVirtualization
Microsoft.VirtualMachineImages
Microsoft.Storage
Microsoft.Compute
Microsoft.Network
Microsoft.KeyVault
Microsoft.ContainerInstance

A resource group to store custom image templates, and images. If you specify your
own resource group for Azure Image Builder to use, then it needs to be empty
before the image build starts.

A user-assigned managed identity. We recommend you create one specifically to

use with custom image templates.

Create a custom role in Azure role-based access control (RBAC) with the following
permissions as actions:

JSON
 "Microsoft.Compute/galleries/read",
"Microsoft.Compute/galleries/images/read",
"Microsoft.Compute/galleries/images/versions/read",
"Microsoft.Compute/galleries/images/versions/write",
"Microsoft.Compute/images/write",
"Microsoft.Compute/images/read",
"Microsoft.Compute/images/delete"

Assign the custom role to the managed identity. This should be scoped
appropriately for your deployment, ideally to the resource group you use store
custom image templates.

Optional: If you want to distribute your image to Azure Compute Gallery, create an
Azure Compute Gallery, then create a VM image definition. When you create a VM
image definition in the gallery you need to specify the generation of the image you
intend to create, either generation 1 or generation 2. The generation of the image
you want to use as the source image needs to match the generation specified in
the VM image definition. Don't create a VM image version at this stage. This will be
done by Azure Virtual Desktop.

Optional: You can use an existing virtual network when building an image. If you
do, the managed identity you're using needs access to the virtual network, or the
resource group it's contained within. For more information, see Permission to
customize images on your virtual networks.

If this virtual network is using a private service policy, it needs to be disabled for
Azure Image Builder to work correctly. For more information, see Disable private
service policy on the subnet.

Create a custom image

There are two parts to creating a custom image. First you need to create a custom
image template, then you need to build the image using the custom image template.

Create a custom image template

To create a custom image using the Azure portal:

1. Sign in to the Azure portal .

2. In the search bar, enter Azure Virtual Desktop and select the matching service
entry.
3. Select Custom image templates, then select +Add custom image template.

4. On the Basics tab, complete the following information:

ﾉ Expand table

Parameter Value/Description

Template name Enter a name for the custom image template.

Import from existing Select Yes if you have an existing custom image template that you
template want to use as the basis of the new template.

Subscription Select the subscription you want to use from the list.

Resource group Select an existing resource group.

Location Select a region from the list where the custom image template will
be created.

Managed identity Select the managed identity to use for creating the custom image
template.

Once you've completed this tab, select Next.

5. On the Source image tab, for Source type select the source of your template from
one of the options, then complete the other fields for that source type.
Confidential VM and Trusted Launch support is inherited from Azure VM Image
Builder. For more information, see Confidential VM and Trusted Launch support.

Platform image (marketplace) provides a list of the available images in the

Azure Marketplace for Azure Virtual Desktop.

ﾉ Expand table

Parameter Value/Description

Select Select the image you want to use from the list. The generation of the
image image will be shown.

Managed image provides a list of managed images you have in the same
subscription and location you selected on the Basics tab.

ﾉ Expand table
 Parameter Value/Description

Image ID Select the image ID you want to use from the list. The generation of the
image will be shown.

Azure Computer Gallery provides a list of image definitions you have in an

Azure Compute Gallery.

ﾉ Expand table

Parameter Value/Description

Gallery name Select the Azure Compute Gallery that contains the source
image you want to use from the list.

Gallery image Select the Gallery image definition you want to use from the list.
definition

Gallery version Select the Gallery version you want to use from the list. The
generation of the image will be shown.

Once you've completed this tab, select Next.

6. On the Distribution targets tab, check the relevant box whether you want to create
a managed image, an Azure Computer Gallery image, or both:

For managed image, complete the following information:

ﾉ Expand table

Parameter Value/Description

Resource Select an existing resource group from the list for the managed
group image.

If you choose a different resource group to the one you selected on

the Basics tab, you'll also need to add the same role assignment for
the managed identity.

Image name Select an existing managed image from the list or select Create a
managed image.

Location Select the Azure region from the list for the managed image.

Run output Enter a run output name for the image. This is a free text field.
name

For Azure Computer Gallery, complete the following information:

 ﾉ Expand table

Parameter Value/Description

Gallery name Select the Azure Compute Gallery you want to distribute the image
to from the list.

Gallery image Select the Gallery image definition you want to use from the list.
definition

Gallery image Optional Enter a version number for the image. If you don't Enter a
version value, one is generated automatically.

Run output Enter a run output name for the image. This is a free text field.
name

Replicated Select which Azure regions to store and replicate the image. The
regions region you selected for the custom image template is automatically
selected.

Excluded from Select Yes to prevent this image version from being used where you
latest specify latest as the version of the ImageReference element when
you create a VM. Otherwise, select No.

To change this later, see List, update, and delete gallery resources.

Storage Select the storage account type and redundancy from the list.
account type

Once you've completed this tab, select Next.

7. On the Build properties tab, complete the following information:

ﾉ Expand table

Parameter Value/Description

Build timeout Enter the maximum duration to wait while building the image template
(minutes) (includes all customizations, validations, and distributions).

Customizations like Language Pack installation or Configure Windows

Optimization require Windows Update and we recommend a higher build
timeout. Windows Update is automatically triggered for those built-in
scripts.

Build VM size Select a size for the temporary VM created and used to build the
template. You need to select a VM size that matches the generation of
your source image.
 Parameter Value/Description

OS disk size Select the resource group you assigned the managed identity to.
(GB)
Alternatively, if you assigned the managed identity to the subscription,
you can create a new resource group here.

Staging group Enter a name for a new resource group you want Azure Image Builder to
use to create the Azure resources it needs to create the image. If you
leave this blank Azure Image Builder creates its own default resource
group.

Build VM Select a user-assigned managed identity if you want the build VM to

managed authenticate with other Azure services. For more information, see User-
identity assigned identity for the Image Builder Build VM.

Virtual network Select an existing virtual network for the VM used to build the template. If
you don't select an existing virtual network, a temporary one is created,
along with a public IP address for the temporary VM.

Subnet If you selected an existing virtual network, select a subnet from the list.

Once you've completed this tab, select Next.

8. On the Customizations tab, you can add built-in scripts or your own scripts that
run when building the image.

To add a built-in script:

a. Select +Add built-in script.

b. Select the scripts you want to use from the list, and complete any required
information. Built-in scripts include restarts where needed.

c. Select Save.

To add your own script:

a. Select +Add your own script.

b. Enter a name for your script and the Uniform Resource Identifier (URI) for your
script. This needs to be a publicly available location, such as GitHub, a web
service, or your own storage account. To use a storage account, you need to
assign the managed identity an appropriate RBAC role, such as Storage Blob
Data Reader.

c. Select Save. You can repeat these steps for each of your own scripts you want to
add.
 You can change the order the scripts run by selecting Move up, Move down, Move
to top, or Move to bottom. Once you've completed this tab, select Next.

9. On the Tags tab, enter any name and value pairs you can use to help organize your
resources, then select Next. A default tag of AVD_IMAGE_TEMPLATE :
AVD_IMAGE_TEMPLATE is automatically created. For more information, see Resource

naming and tagging decision guide.

10. On the Review and create tab, review the information that is used during
deployment, then select Create.

 Tip

The new template may take about 20 seconds to appear. From Custom
images templates, select Refresh to check the status.

Removing or uninstalling the Microsoft Store app isn't supported. Learn how
to Configure access to the Microsoft Store.

Build the image

Once your custom image template has been successfully created, you need to build the
custom image. To build the custom image using the Azure portal:

1. From Custom images templates, check the box for the custom image template
you want to build.

2. Select Start build. The image starts to be built. The time it takes to complete
depends on how long it takes any built-in scripts and your own scripts to
complete.

3. Select Refresh to check the status. You can see more information on the build
status by selecting the name of the custom image template where you can see the
Build run state.

Create a host pool with session hosts using the

custom image
Now you've created a custom image, you can use it when creating session host VMs. If
you want to create a host pool and session hosts from Azure Virtual Desktop using the
Azure portal, follow the steps in Create a host pool. For the Virtual Machines tab, if you
add virtual machines, follow these steps to use your custom image:

1. For Image, select See all images.

2. Select My Items.

3. Select My Images to see a list of managed images, or select Shared Images to see
a list of images in Azure Compute Gallery.

） Important

When selecting a virtual machine size, you will need to select a size that
matches the generation of your source image.

4. Complete the steps to create a host pool and session hosts from your custom
image.

Next steps
Connect to Azure Virtual Desktop

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Create a golden image in Azure
Article • 03/02/2023

This article will walk you through how to use the Azure portal to create a custom image
to use for your Azure Virtual Desktop session hosts. This custom image, which we'll call a
"golden image," contains all apps and configuration settings you want to apply to your
deployment. There are other approaches to customizing your session hosts, such as
using device management tools like Microsoft Intune or automating your image build
using tools like Azure Image Builder with Azure DevOps. Which strategy works best
depends on the complexity and size of your planned Azure Virtual Desktop environment
and your current application deployment processes.

Create an image from an Azure VM

When creating a new VM for your golden image, make sure to choose an OS that's in
the list of supported virtual machine OS images. We recommend using a Windows 10
multi-session (with or without Microsoft 365) or Windows Server image for pooled host
pools. We recommend using Windows 10 Enterprise images for personal host pools. You
can use either Generation 1 or Generation 2 VMs; Gen 2 VMs support features that
aren't supported for Gen 1 machines. Learn more about Generation 1 and Generation 2
VMs at Support for generation 2 VMs on Azure.

） Important

The VM used for taking the image must be deployed without "Login with Azure
AD" flag. During the deployment of Session Hosts in Azure Virtual Desktop, if you
choose to add VMs to Azure Active Directory you are able to Login with AD
Credentials too.

Take your first snapshot

First, create the base VM for your chosen image. After you've deployed the image, take
a snapshot of the disk of your image VM. Snapshots are save states that will let you roll
back any changes if you run into problems while building the image. Since you'll be
taking many snapshots throughout the build process, make sure to give the snapshot a
name you can easily identify.

Customize your VM
Sign in to the VM and start customizing it with apps, updates, and other things you'll
need for your image. If the VM needs to be domain-joined during customization,
remove it from the domain before running sysprep. If you need to install many apps, we
recommend you take multiple snapshots to revert your VM if a problem happens. Make
sure you've done the following things before taking the final snapshot:

Install the latest Windows updates.

Complete any necessary cleanup, such as cleaning up temporary files,
defragmenting disks, and removing unnecessary user profiles.

７ Note

1. If your machine will include an antivirus app, it may cause issues when you
start sysprep. To avoid this, disable all antivirus programs before running
sysprep.

2. Unified Write Filter (UWF) is not supported for session hosts. Please ensure it
is not enabled in your image.

3. Do not join your golden image VM to a host pool, by deploying the Azure
Virtual Desktop Agent. If you do this when you create additional session hosts
from this image at a later time, they will fail to join the host pool as the
Registration token will have expired. The host pool deployment process will
automatically join the session hosts to the required host pool during the
provisioning process.

Take the final snapshot

When you are done installing your applications to the image VM, take a final snapshot
of the disk. If sysprep or capture fails, you will be able to create a new base VM with
your applications already installed from this snapshot.

Run sysprep
Some optional things you can do before running Sysprep:

Reboot once
Clean up temp files in system storage
Optimize drivers (defrag)
Remove any user profiles
 Generalize the VM by running sysprep

Capture the VM
After you've completed sysprep and shut down your machine in the Azure portal, open
the VM tab and select the Capture button to save the image for later use. When you
capture a VM, you can either add the image to a shared image gallery or capture it as a
managed image. The Shared Image Gallery lets you add features and use existing
images in other deployments. Images from a Shared Image Gallery are highly-available,
ensure easy versioning, and you can deploy them at scale. However, if you have a
simpler deployment, you may want to use a standalone managed image instead.

） Important

We recommend using Azure Compute Gallery images for production environments

because of their enhanced capabilities, such as replication and image versioning.
When you create a capture, you'll need to delete the VM afterwards, as you'll no
longer be able to use it after the capture process is finished. Don't try to capture
the same VM twice, even if there's an issue with the capture. Instead, create a new
VM from your latest snapshot, then run sysprep again. Once you've finished the
capture process, you can use your image to create your session hosts. To find the
image, open the Host pool tab, choose Gallery, then select all images. Next, select
My items and look for your managed images under My images. Your image
definitions should appear under the shared items section.

Other recommendations
Here are some extra things you should keep in mind when creating a golden image:

Don't capture a VM that already exists in your host pools. The image will conflict
with the existing VM's configuration, and the new VM won't work.
Make sure to remove the VM from the domain before running sysprep.
Delete the base VM once you've captured the image from it.
After you've captured your image, don't use the same VM you captured again.
Instead, create a new base VM from the last snapshot you created. You'll need to
periodically update and patch this new VM on a regular basis.
Don't create a new base VM from an existing custom image.

Next steps
If you want to add a language pack to your image, see Language packs.
Prepare and customize a VHD image for
Azure Virtual Desktop
Article • 03/04/2024

This article tells you how to prepare a master virtual hard disk (VHD) image for upload
to Azure, including how to create virtual machines (VMs) and install software on them.
These instructions are for an Azure Virtual Desktop-specific configuration that can be
used with your organization's existing processes.

） Important

We recommend you use an image from the Azure Compute Gallery or the Azure
portal. However, if you do need to use a customized image, make sure you don't
already have the Azure Virtual Desktop Agent installed on your VM. If you do,
either follow the instructions in Step 1: Uninstall all agent, boot loader, and stack
component programs to uninstall the Agent and all related components from your
VM or create a new image from a VM with the Agent uninstalled. Using a
customized image with the Azure Virtual Desktop Agent can cause problems with
the image, such as blocking registration as the host pool registration token will
have expired which will prevent user session connections.

Create a VM
Windows 10 Enterprise multi-session is available in the Azure Compute Gallery or the
Azure portal. There are two options for customizing this image.

The first option is to provision a virtual machine (VM) in Azure by following the
instructions in Create a VM from a managed image, and then skip ahead to Software
preparation and installation.

The second option is to create the image locally by downloading the image,
provisioning a Hyper-V VM, and customizing it to suit your needs, which we cover in the
following section.

Local image creation

You can download an image following the instructions in Export an image version to a
managed disk and then Download a Windows VHD from Azure. Once you've
downloaded the image to a local location, open Hyper-V Manager to create a VM with
the VHD you copied. The following instructions are a simple version, but you can find
more detailed instructions in Create a virtual machine in Hyper-V.

To create a VM with the copied VHD:

1. Open the New Virtual Machine Wizard.

2. On the Specify Generation page, select Generation 1.

3. Under Checkpoint Type, disable checkpoints by unchecking the check box.

You can also run the following cmdlet in PowerShell to disable checkpoints.

PowerShell

Set-VM -Name <VMNAME> -CheckpointType Disabled

Fixed disk
If you create a VM from an existing VHD, it creates a dynamic disk by default. It can be
changed to a fixed disk by selecting Edit Disk... as shown in the following image. For
more detailed instructions, see Prepare a Windows VHD or VHDX to upload to Azure.
You can also run the following PowerShell command to change the disk to a fixed disk.

PowerShell

Convert-VHD –Path c:\test\MY-VM.vhdx –DestinationPath c:\test\MY-NEW-VM.vhd

-VHDType Fixed

Software preparation and installation

This section covers how to prepare and install FSLogix and Windows Defender, as well as
some basic configuration options for apps and your image's registry.

If you're installing Microsoft 365 Apps for enterprise and OneDrive on your VM, go to
Install Office on a master VHD image and follow the instructions there to install the
apps. After you're done, return to this article.

If your users need to access certain LOB applications, we recommend you install them
after completing this section's instructions.

Set up FSLogix profile container

To include the FSLogix container as part of the image, follow the instructions in Create a
profile container for a host pool using a file share. You can test the functionality of the
FSLogix container with this quickstart.

Configure antivirus exclusions for FSLogix

If Windows Defender is configured in the VM, make sure it's configured to not scan the
entire contents of VHD and VHDX files during attachment. You can find a list of
exclusions for FSLogix at Configure Antivirus file and folder exclusions.

This configuration only removes scanning of VHD and VHDX files during attachment,
but won't affect real-time scanning.

If you're using Windows Defender, you can learn more about how to configure Windows
Defender to exclude certain files from scanning at Configure and validate exclusions
based on file extension and folder location.

Disable Automatic Updates

To disable Automatic Updates via local Group Policy:

1. Open Local Group Policy Editor\Administrative Templates\Windows

Components\Windows Update.
2. Right-click Configure Automatic Update and set it to Disabled.

You can also run the following command from an elevated PowerShell prompt to disable
Automatic Updates.

PowerShell

New-ItemProperty -Path
"HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name
NoAutoUpdate -PropertyType DWORD -Value 1 -Force

Specify Start layout for Windows 10 PCs (optional)

Run the following command from an elevated PowerShell prompt to specify a Start
layout for Windows 10 PCs.

PowerShell

New-ItemProperty -Path
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" -Name
SpecialRoamingOverrideAllowed -PropertyType DWORD -Value 1 -Force

Set up time zone redirection

Time zone redirection can be enforced on Group Policy level since all VMs in a host pool
are part of the same security group.
To redirect time zones:

1. On the Active Directory server, open the Group Policy Management Console.
2. Expand your domain and Group Policy Objects.
3. Right-click the Group Policy Object that you created for the group policy settings
and select Edit.
4. In the Group Policy Management Editor, navigate to Computer Configuration >
Policies > Administrative Templates > Windows Components > Remote Desktop
Services > Remote Desktop Session Host > Device and Resource Redirection.
5. Enable the Allow time zone redirection setting.

You can also run the following command from an elevated PowerShell prompt to
redirect time zones:

PowerShell

New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows

NT\Terminal Services" -Name fEnableTimeZoneRedirection -PropertyType DWORD -
Value 1 -Force

Disable Storage Sense

For Azure Virtual Desktop session hosts that use Windows 10 Enterprise or Windows 10
Enterprise multi-session, we recommend disabling Storage Sense. Disks where the
operating system is installed are typically small in size and user data is stored remotely
through profile roaming. This scenario results in Storage Sense believing that the disk is
critically low on free space. You can disable Storage Sense in the image using the
registry, or use Group Policy or Intune to disable Storage Sense after the session hosts
are deployed.

For the registry, you can run the following command from an elevated PowerShell
prompt to disable Storage Sense:

PowerShell

New-ItemProperty -Path
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameter
s\StoragePolicy" -Name 01 -PropertyType DWORD -Value 0 -Force

For Group Policy, configure a Group Policy Object with the setting Computer
Configuration > Administrative Templates > System > Storage Sense > Allow
Storage Sense set to Disabled.
 For Intune, configure a configuration profile using the settings catalog with the
setting Storage > Allow Storage Sense Global set to Block.

Include additional language support

This article doesn't cover how to configure language and regional support. For more
information, see the following articles:

Add languages to Windows images

Features on demand
Language and region features on demand (FOD)

Other applications and registry configuration

This section covers application and operating system configuration. All configuration in
this section is done through adding, changing, or removing registry entries.

For feedback hub collection of telemetry data on Windows 10 Enterprise multi-session,

run the following command from an elevated PowerShell prompt:

PowerShell

New-ItemProperty -Path
"HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name
AllowTelemetry -PropertyType DWORD -Value 3 -Force

To prevent Watson crashes, run the following command from an elevated PowerShell
prompt:

PowerShell

Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\Windows Error

Reporting" -Name Corporate* -Force -Verbose

To enable 5k resolution support, run the following commands from an elevated

PowerShell prompt. You must run the commands before you can enable the side-by-
side stack.

PowerShell

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal

Server\WinStations\RDP-Tcp" -Name MaxMonitors -PropertyType DWORD -Value 4 -
Force
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal
 Server\WinStations\RDP-Tcp" -Name MaxXResolution -PropertyType DWORD -Value
5120 -Force
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal
Server\WinStations\RDP-Tcp" -Name MaxYResolution -PropertyType DWORD -Value
2880 -Force
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal
Server\WinStations\rdp-sxs" -Name MaxMonitors -PropertyType DWORD -Value 4 -
Force
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal
Server\WinStations\rdp-sxs" -Name MaxXResolution -PropertyType DWORD -Value
5120 -Force
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal
Server\WinStations\rdp-sxs" -Name MaxYResolution -PropertyType DWORD -Value
2880 -Force

Prepare the image for upload to Azure

After you've finished configuration and installed all applications, follow the instructions
in Prepare a Windows VHD or VHDX to upload to Azure to prepare the image.

After preparing the image for upload, make sure the VM remains in the off or
deallocated state.

Upload master image to a storage account in

Azure
This section only applies when the master image was created locally.

The following instructions will tell you how to upload your master image into an Azure
storage account. If you don't already have an Azure storage account, follow the
instructions in this article to create one.

1. Convert the VM image (VHD) to Fixed if you haven't already. If you don't convert
the image to Fixed, you can't successfully create the image.

2. Upload the VHD to a blob container in your storage account. You can upload
quickly with the Storage Explorer tool . To learn more about the Storage Explorer
tool, see this article.
3. Next, go to the Azure portal in your browser and search for "Images." Your search
should lead you to the Create image page, as shown in the following screenshot:
 4. Once you've created the image, you should see a notification like the one in the
following screenshot:

Next steps
Now that you have an image, you can create or update host pools. To learn more about
how to create and update host pools, see the following articles:

Create a host pool with an Azure Resource Manager template

Tutorial: Create a host pool with Azure Marketplace
Create a host pool with PowerShell
Create a profile container for a host pool using a file share
Configure the Azure Virtual Desktop load-balancing method

If you encountered a connectivity problem after preparing or customizing your VHD

image, check out the troubleshooting guide for help.
Install Office on a custom VHD image
Article • 05/09/2024

This article tells you how to install Microsoft 365 Apps for enterprise, OneDrive, and
other common applications on a custom virtual hard disk (VHD) image for upload to
Azure. If your users need to access certain line of business (LOB) applications, we
recommend you install them after completing the instructions in this article.

This article assumes you've already created a virtual machine (VM). If not, see Prepare
and customize a custom VHD image

This article also assumes you have elevated access on the VM, whether it's provisioned
in Azure or Hyper-V Manager. If not, see Elevate access to manage all Azure
subscription and management groups.

７ Note

These instructions are for an Azure Virtual Desktop-specific configuration that can
be used with your organization's existing processes. Consider using our Windows
Enterprise multi-session images with Microsoft 365 Apps pre-installed, which are
available to select when deploying a host pool, or find them in the Azure
Marketplace .

Install Office in shared computer activation

mode
Shared computer activation lets you to deploy Microsoft 365 Apps for enterprise to a
computer in your organization that is accessed by multiple users. For more information
about shared computer activation, see Overview of shared computer activation for
Microsoft 365 Apps.

Use the Office Deployment Tool to install Office. Windows 10 Enterprise multi-session
and Windows 11 Enterprise-multi-session only support the following versions of Office:

Microsoft 365 Apps for enterprise

Microsoft 365 Apps for business that comes with a Microsoft 365 Business
Premium subscription

The Office Deployment Tool requires a configuration XML file. To customize the
following sample, see the Configuration Options for the Office Deployment Tool.
This sample configuration XML we've provided will do the following things:

Install Office from the Monthly Enterprise Channel and deliver updates from the
Monthly Enterprise Channel.
Use the x64 architecture.
Disable automatic updates. Updates should be added to a custom image for your
session hosts and redeployed regularly, or installed manually when no end users
are signed in to a session host to avoid Office applications being in use.
Remove any existing installations of Office and migrate their settings.
Enable shared computer activation.

７ Note

Visio's stencil search feature may not work as expected in Azure Virtual Desktop.

This sample configuration XML won't install OneDrive in per-user mode. To learn more,
see Install OneDrive in per-machine mode.

７ Note

Shared Computer Activation can be set up through Group Policy Objects (GPOs) or
registry settings. The GPO is located at Computer
Configuration\Policies\Administrative Templates\Microsoft Office 2016
(Machine)\Licensing Settings

The Office Deployment Tool contains setup.exe. To install Office, run the following
command in a command line:

Windows Command Prompt

Setup.exe /configure configuration.xml

Sample configuration.xml
The following XML sample will install the Monthly Enterprise Channel release.

XML

<Configuration>
<Add OfficeClientEdition="64" Channel="MonthlyEnterprise">
<Product ID="O365ProPlusRetail">
<Language ID="en-US" />
 <Language ID="MatchOS" />
<ExcludeApp ID="Groove" />
<ExcludeApp ID="Lync" />
<ExcludeApp ID="OneDrive" />
<ExcludeApp ID="Teams" />
</Product>
</Add>
<RemoveMSI/>
<Updates Enabled="FALSE"/>
<Display Level="None" AcceptEULA="TRUE" />
<Logging Level="Standard" Path="%temp%\WVDOfficeInstall" />
<Property Name="FORCEAPPSHUTDOWN" Value="TRUE"/>
<Property Name="SharedComputerLicensing" Value="1"/>
</Configuration>

７ Note

The Office team recommends using 64-bit install for the OfficeClientEdition
parameter.

After installing Office, you can update the default Office behavior. Run the following
commands individually or in a batch file to update the behavior.

Windows Command Prompt

rem Mount the default user registry hive

reg load HKU\TempDefault C:\Users\Default\NTUSER.DAT
rem Disable the option for Office Insider under File > Account.
rem Must be executed with default registry hive mounted.
reg add HKU\TempDefault\SOFTWARE\Policies\Microsoft\office\16.0\common /v
InsiderSlabBehavior /t REG_DWORD /d 2 /f
rem Set Outlook's Cached Exchange Mode behavior
rem Must be executed with default registry hive mounted.
reg add
"HKU\TempDefault\software\policies\microsoft\office\16.0\outlook\cached
mode" /v enable /t REG_DWORD /d 1 /f
reg add
"HKU\TempDefault\software\policies\microsoft\office\16.0\outlook\cached
mode" /v syncwindowsetting /t REG_DWORD /d 1 /f
reg add
"HKU\TempDefault\software\policies\microsoft\office\16.0\outlook\cached
mode" /v CalendarSyncWindowSetting /t REG_DWORD /d 1 /f
reg add
"HKU\TempDefault\software\policies\microsoft\office\16.0\outlook\cached
mode" /v CalendarSyncWindowSettingMonths /t REG_DWORD /d 1 /f
rem Unmount the default user registry hive
reg unload HKU\TempDefault

rem Set the Office Update UI behavior for updates.

reg add HKLM\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate /v
 hideupdatenotifications /t REG_DWORD /d 1 /f
reg add HKLM\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate /v
hideenabledisableupdates /t REG_DWORD /d 1 /f

Install OneDrive in per-machine mode

OneDrive is normally installed per-user. In this environment, it should be installed per-
machine.

Here's how to install OneDrive in per-machine mode:

1. First, create a location to stage the OneDrive installer. A local disk folder or UNC
path is fine.

2. Download OneDriveSetup.exe to your staged location.

3. If you installed Office with OneDrive by omitting <ExcludeApp ID="OneDrive" / ,

uninstall any existing OneDrive per-user installations from an elevated command
prompt by running the following command:

Windows Command Prompt

"[staged location]\OneDriveSetup.exe" /uninstall

4. Run this command from an elevated command prompt to set the AllUsersInstall
registry value:

Windows Command Prompt

REG ADD "HKLM\Software\Microsoft\OneDrive" /v "AllUsersInstall" /t

REG_DWORD /d 1 /reg:64

5. Run this command to install OneDrive in per-machine mode:

Windows Command Prompt

"[staged location]\OneDriveSetup.exe" /allusers

6. Run this command to configure OneDrive to start at sign in for all users:

Windows Command Prompt

REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v

OneDrive /t REG_SZ /d "C:\Program Files\Microsoft OneDrive\OneDrive.exe
 /background" /f

7. Enable Silently configure user account by running the following command.

Windows Command Prompt

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\OneDrive" /v

"SilentAccountConfig" /t REG_DWORD /d 1 /f

8. Redirect and move Windows known folders to OneDrive by running the following
command.

Windows Command Prompt

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\OneDrive" /v "KFMSilentOptIn"

/t REG_SZ /d "<your-AzureAdTenantId>" /f

 Tip

You can configure OneDrive so that it will attempt to automatically sign-in when a
user connects to a session. For more information, see Silently configure user
accounts.

Microsoft Teams
To learn how to install Microsoft Teams, see Use Microsoft Teams on Azure Virtual
desktop. Azure Virtual Desktop doesn't support Skype for Business.

Next steps
Now that you've added Office to the image, you can continue to customize your custom
VHD image. See Prepare and customize a custom VHD image.
Add language packs to a Windows 10
multi-session image
Article • 04/24/2023

Azure Virtual Desktop is a service that your users can deploy anytime, anywhere. That's
why it's important that your users be able to customize which language their Windows
10 Enterprise multi-session image displays.

There are two ways you can accommodate the language needs of your users:

Build dedicated host pools with a customized image for each language.
Have users with different language and localization requirements in the same host
pool, but customize their images to ensure they can select whichever language
they need.

The latter method is a lot more efficient and cost-effective. However, it's up to you to
decide which method best suits your needs. This article will show you how to customize
languages for your images.

Prerequisites
You need the following things to customize your Windows 10 Enterprise multi-session
images to add multiple languages:

An Azure virtual machine (VM) with a supported version of Windows 10 Enterprise

multi-session.

The Language ISO, Feature on Demand (FOD) Disk 1, and Inbox Apps ISO of the
OS version the image uses. You can download them here:

Language ISO:
Windows 10 Language Pack ISO (version 2004 or later)

FOD Disk 1 ISO:

Windows 10 FOD Disk 1 ISO (version 2004 or later)

Inbox Apps ISO:

Windows 10 Inbox Apps ISO (version 21H1 or later)

If you use Local Experience Pack (LXP) ISO files to localize your images, you'll
also need to download the appropriate LXP ISO for the best language
 experience. Use the information in Adding languages in Windows 10: Known
issues to figure out which of the following LXP ISOs is right for you:
Windows 10, version 2004 or later 01C 2021 LXP ISO
Windows 10, version 2004 or later 02C 2021 LXP ISO
Windows 10, version 2004 or later 04B 2021 LXP ISO
Windows 10, version 2004 or later 05C 2021 LXP ISO
Windows 10, version 2004 or later 07C 2021 LXP ISO
Windows 10, version 2004 or later 09C 2021 LXP ISO
Windows 10, version 2004 or later 10C 2021 LXP ISO
Windows 10, version 2004 or later 11C 2021 LXP ISO
Windows 10, version 2004 or later 01C 2022 LXP ISO
Windows 10, version 2004 or later 02C 2022 LXP ISO
Windows 10, version 2004 or later 04C 2022 LXP ISO
Windows 10, version 2004 or later 06C 2022 LXP ISO

An Azure Files Share or a file share on a Windows File Server Virtual Machine

７ Note

The file share (repository) must be accessible from the Azure VM you plan to use to
create the custom image.

Create a content repository for language

packages and features on demand
To create the content repository for language packages and FODs and a repository for
the Inbox Apps packages:

1. On an Azure VM, download the Windows 10 Multi-Language ISO, FODs, and Inbox
Apps for Windows 10 Enterprise multi-session, version 1903/1909, and 2004
images from the links in Prerequisites.

2. Open and mount the ISO files on the VM.

3. Go to the language pack ISO and copy the content from the LocalExperiencePacks
and x64\langpacks folders, then paste the content into the file share.

4. Go to the FOD ISO file, copy all of its content, then paste it into the file share.

5. Go to the amd64fre folder on the Inbox Apps ISO and copy the content in the
repository for the inbox apps that you've prepared.
 ７ Note

If you're working with limited storage, only copy the files for the languages
you know your users need. You can tell the files apart by looking at the
language codes in their file names. For example, the French file has the code
"fr-FR" in its name. For a complete list of language codes for all available
languages, see Available language packs for Windows.

） Important

Some languages require additional fonts included in satellite packages that

follow different naming conventions. For example, Japanese font file names
include “Jpan."

6. Set the permissions on the language content repository share so that you have
read access from the VM you'll use to build the custom image.
Create a custom Windows 10 Enterprise multi-
session image manually
To create a custom Windows 10 Enterprise multi-session image manually:

1. Deploy an Azure VM, then go to the Azure Gallery and select the current version of
Windows 10 Enterprise multi-session you're using.

2. After you've deployed the VM, connect to it using RDP as a local admin.

3. Make sure your VM has all the latest Windows Updates. Download the updates
and restart the VM, if necessary.

） Important

After you install a language pack, you have to reinstall the latest cumulative
update that is installed on your image. If you do not reinstall the latest
cumulative update, you may encounter errors. If the latest cumulative update
is already installed, Windows Update does not offer it again; you have to
manually reinstall it. For more information, see Languages overview.

4. Connect to the language package, FOD, and Inbox Apps file share repository and
mount it to a letter drive (for example, drive E).

Create a custom Windows 10 Enterprise multi-

session image automatically
If you'd rather install languages through an automated process, you can set up a script
in PowerShell. You can use the following script sample to install the Spanish (Spain),
French (France), and Chinese (PRC) language packs and satellite packages for Windows
10 Enterprise multi-session, version 2004. The script integrates the language interface
pack and all necessary satellite packages into the image. However, you can also modify
this script to install other languages. Just make sure to run the script from an elevated
PowerShell session, or else it won't work.

PowerShell

########################################################
## Add Languages to running Windows Image for Capture ##
########################################################

##Disable Language Pack Cleanup##

Disable-ScheduledTask -TaskPath "\Microsoft\Windows\AppxDeploymentClient\" -
TaskName "Pre-staged app cleanup"

##Set Language Pack Content Stores##

[string]$LIPContent = "E:"

##Spanish##
Add-AppProvisionedPackage -Online -PackagePath $LIPContent\es-
es\LanguageExperiencePack.es-es.Neutral.appx -LicensePath $LIPContent\es-
es\License.xml
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
Client-Language-Pack_x64_es-es.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
LanguageFeatures-Basic-es-es-Package~31bf3856ad364e35~amd64~~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
LanguageFeatures-Handwriting-es-es-Package~31bf3856ad364e35~amd64~~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
LanguageFeatures-OCR-es-es-Package~31bf3856ad364e35~amd64~~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
LanguageFeatures-Speech-es-es-Package~31bf3856ad364e35~amd64~~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
LanguageFeatures-TextToSpeech-es-es-Package~31bf3856ad364e35~amd64~~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
NetFx3-OnDemand-Package~31bf3856ad364e35~amd64~es-es~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~es-es~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
MSPaint-FoD-Package~31bf3856ad364e35~amd64~es-es~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
Notepad-FoD-Package~31bf3856ad364e35~amd64~es-es~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
PowerShell-ISE-FOD-Package~31bf3856ad364e35~amd64~es-es~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
Printing-WFS-FoD-Package~31bf3856ad364e35~amd64~es-es~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
StepsRecorder-Package~31bf3856ad364e35~amd64~es-es~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
WordPad-FoD-Package~31bf3856ad364e35~amd64~es-es~.cab
$LanguageList = Get-WinUserLanguageList
$LanguageList.Add("es-es")
Set-WinUserLanguageList $LanguageList -force

##French##
Add-AppProvisionedPackage -Online -PackagePath $LIPContent\fr-
fr\LanguageExperiencePack.fr-fr.Neutral.appx -LicensePath $LIPContent\fr-
fr\License.xml
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
Client-Language-Pack_x64_fr-fr.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
LanguageFeatures-Basic-fr-fr-Package~31bf3856ad364e35~amd64~~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
LanguageFeatures-Handwriting-fr-fr-Package~31bf3856ad364e35~amd64~~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
LanguageFeatures-OCR-fr-fr-Package~31bf3856ad364e35~amd64~~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
LanguageFeatures-Speech-fr-fr-Package~31bf3856ad364e35~amd64~~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
LanguageFeatures-TextToSpeech-fr-fr-Package~31bf3856ad364e35~amd64~~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
NetFx3-OnDemand-Package~31bf3856ad364e35~amd64~fr-fr~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~fr-FR~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
MSPaint-FoD-Package~31bf3856ad364e35~amd64~fr-FR~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
Notepad-FoD-Package~31bf3856ad364e35~amd64~fr-FR~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
PowerShell-ISE-FOD-Package~31bf3856ad364e35~amd64~fr-FR~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
Printing-WFS-FoD-Package~31bf3856ad364e35~amd64~fr-FR~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
StepsRecorder-Package~31bf3856ad364e35~amd64~fr-FR~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
WordPad-FoD-Package~31bf3856ad364e35~amd64~fr-FR~.cab
$LanguageList = Get-WinUserLanguageList
$LanguageList.Add("fr-fr")
Set-WinUserLanguageList $LanguageList -force

##Chinese(PRC)##
Add-AppProvisionedPackage -Online -PackagePath $LIPContent\zh-
cn\LanguageExperiencePack.zh-cn.Neutral.appx -LicensePath $LIPContent\zh-
cn\License.xml
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
Client-Language-Pack_x64_zh-cn.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
LanguageFeatures-Basic-zh-cn-Package~31bf3856ad364e35~amd64~~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
LanguageFeatures-Fonts-Hans-Package~31bf3856ad364e35~amd64~~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
LanguageFeatures-Handwriting-zh-cn-Package~31bf3856ad364e35~amd64~~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
LanguageFeatures-OCR-zh-cn-Package~31bf3856ad364e35~amd64~~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
LanguageFeatures-Speech-zh-cn-Package~31bf3856ad364e35~amd64~~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
LanguageFeatures-TextToSpeech-zh-cn-Package~31bf3856ad364e35~amd64~~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
NetFx3-OnDemand-Package~31bf3856ad364e35~amd64~zh-cn~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~zh-cn~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
MSPaint-FoD-Package~31bf3856ad364e35~amd64~zh-cn~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
Notepad-FoD-Package~31bf3856ad364e35~amd64~zh-cn~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
PowerShell-ISE-FOD-Package~31bf3856ad364e35~amd64~zh-cn~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
Printing-WFS-FoD-Package~31bf3856ad364e35~amd64~zh-cn~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
StepsRecorder-Package~31bf3856ad364e35~amd64~zh-cn~.cab
 Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
WordPad-FoD-Package~31bf3856ad364e35~amd64~zh-cn~.cab
$LanguageList = Get-WinUserLanguageList
$LanguageList.Add("zh-cn")
Set-WinUserLanguageList $LanguageList -force

The script might take a while depending on the number of languages you need to
install.

Once the script is finished running, check to make sure the language packs installed
correctly by going to Start > Settings > Time & Language > Language. If the language
files are there, you're all set.

After you've added additional languages to the Windows image, the inbox apps are also
required to be updated to support the added languages. This can be done by refreshing
the pre-installed apps with the content from the inbox apps ISO. To perform this refresh
in an environment where the VM doesn't have internet access, you can use the following
PowerShell script template to automate the process and update only installed versions
of inbox apps.

PowerShell

#########################################
## Update Inbox Apps for Multi Language##
#########################################
##Set Inbox App Package Content Stores##
[string] $AppsContent = "F:\"

##Update installed Inbox Store Apps##

foreach ($App in (Get-AppxProvisionedPackage -Online)) {
$AppPath = $AppsContent + $App.DisplayName + '_' + $App.PublisherId
Write-Host "Handling $AppPath"
$licFile = Get-Item $AppPath*.xml
if ($licFile.Count) {
$lic = $true
$licFilePath = $licFile.FullName
} else {
$lic = $false
}
$appxFile = Get-Item $AppPath*.appx*
if ($appxFile.Count) {
$appxFilePath = $appxFile.FullName
if ($lic) {
Add-AppxProvisionedPackage -Online -PackagePath $appxFilePath -
LicensePath $licFilePath
} else {
Add-AppxProvisionedPackage -Online -PackagePath $appxFilePath -
skiplicense
}
}
 }

） Important

The inbox apps included in the ISO aren't the latest versions of the pre-installed
Windows apps. To get the latest version of all apps, you need to update the apps
using the Windows Store App and perform an manual search for updates after
you've installed the additional languages.

When you're done, make sure to disconnect the share.

Finish customizing your image

After you've installed the language packs, you can install any other software you want to
add to your customized image.

Once you're finished customizing your image, you'll need to run the system preparation
tool (sysprep).

To run sysprep:

1. Open an elevated command prompt and run the following command to generalize
the image:

Windows Command Prompt

C:\Windows\System32\Sysprep\sysprep.exe /oobe /generalize /shutdown

2. Stop the VM, then capture it in a managed image by following the instructions in
Create a managed image of a generalized VM in Azure.

3. You can now use the customized image to deploy an Azure Virtual Desktop host
pool. To learn how to deploy a host pool, see Tutorial: Create a host pool with the
Azure portal.

Enable languages in Windows settings app

Finally, after you deploy the host pool, you'll need to add the language to each user's
language list so they can select their preferred language in the Settings menu.
To ensure your users can select the languages you installed, sign in as the user, then run
the following PowerShell cmdlet to add the installed language packs to the Languages
menu. You can also set up this script as an automated task or logon script that activates
when the user signs in to their session.

PowerShell

$LanguageList = Get-WinUserLanguageList
$LanguageList.Add("es-es")
$LanguageList.Add("fr-fr")
$LanguageList.Add("zh-cn")
Set-WinUserLanguageList $LanguageList -force

After a user changes their language settings, they'll need to sign out of their Azure
Virtual Desktop session and sign in again for the changes to take effect.

Next steps
If you're curious about known issues for language packs, see Adding language packs in
Windows 10, version 1803 and later versions: Known issues.

If you have any other questions about Windows 10 Enterprise multi-session, check out
our FAQ.
Add languages to a Windows 11
Enterprise image
Article • 09/20/2024

It's important to make sure users within your organization from all over the world can
use your Azure Virtual Desktop deployment. That's why you can customize the Windows
11 Enterprise image you use for your virtual machines (VMs) to have different language
packs. Starting with Windows 11, non-administrator user accounts can now add both
the display language and its corresponding language features. This feature means you
won't need to pre-install language packs for users in a personal host pool. For pooled
host pools, we still recommend you add the languages you plan to add to a custom
image. You can use the instructions in this article for both single-session and multi-
session versions of Windows 11 Enterprise.

When your organization includes users with multiple different languages, you have two
options:

Create one dedicated host pool with a customized image per language.
Have multiple users with different languages in the same host pool.

The second option is more efficient in terms of resources and cost, but requires a few
extra steps. Fortunately, this article will help walk you through how to build an image
that can accommodate users of all languages and localization needs.

Prerequisites
Before you can add languages to a Windows 11 Enterprise VM, you'll need to have the
following things ready:

An Azure VM with Windows 11 Enterprise installed

A Language and Optional Features ISO and Inbox Apps ISO of the OS version the
image uses. You can download them here:
Language and Optional Features ISO:
Windows 11, version 21H2 Language and Optional Features ISO
Windows 11, version 22H2 and 23H2 Language and Optional Features ISO
Windows 11, version 24H2 Language and Optional Features ISO
Inbox Apps ISO:
Windows 11, version 21H2 Inbox Apps ISO
Windows 11, version 22H2 and 23H2 Inbox Apps ISO
Windows 11, version 24H2 Inbox Apps ISO
 An Azure Files share or a file share on a Windows File Server VM

７ Note

The file share repository must be accessible from the Azure VM that you're going
to use to create the custom image.

Create a content repository for language

packages and features on demand
To create the content repository you'll use to add languages and features to your VM:

1. Open the VM you want to add languages to in Azure.

2. Open and mount the ISO file you downloaded in the Prerequisites section above
on the VM.

3. Create a folder on the file share.

4. Copy all content from the LanguagesAndOptionalFeatures folder in the ISO to the
folder you created.

７ Note

If you're working with limited storage, you can use the mounted "Languages
and Optional Features" ISO as a repository. To learn how to create a
repository, see Build a custom FOD and language pack repository.

） Important

Some languages require additional fonts included in satellite packages that

follow different naming conventions. For example, Japanese font file names
include "Jpan."
 5. Set the permissions on the language content repository share so that you have
read access from the VM you'll use to build the custom image.

Create a custom Windows 11 Enterprise image

manually
You can create a custom image by following these steps:

1. Deploy an Azure VM, then go to the Azure Gallery and select the current version of
Windows 11 Enterprise you're using.

2. After you've deployed the VM, connect to it using RDP as a local admin.

3. Connect to the file share repository you created in Create a content repository for
language packages and features on demand and mount it to a letter drive (for
example, drive E).

4. Run the following PowerShell script from an elevated PowerShell session to install
language packs and satellite packages on Windows 11 Enterprise:
PowerShell

########################################################
## Add Languages to running Windows Image for Capture##
########################################################
##Disable Language Pack Cleanup##
Disable-ScheduledTask -TaskPath
"\Microsoft\Windows\AppxDeploymentClient\" -TaskName "Pre-staged app
cleanup"
Disable-ScheduledTask -TaskPath "\Microsoft\Windows\MUI\" -TaskName
"LPRemove"
Disable-ScheduledTask -TaskPath
"\Microsoft\Windows\LanguageComponentsInstaller" -TaskName
"Uninstallation"
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control
Panel\International" /v "BlockCleanupOfUnusedPreinstalledLangPacks" /t
REG_DWORD /d 1 /f

##Set Language Pack Content Stores##

$LIPContent = "E:"

##Set Path of CSV File##

$CSVFile = "Windows-10-1809-FOD-to-LP-Mapping-Table.csv"
$filePath = (Get-Location).Path + "\$CSVFile"

##Import Necesarry CSV File##

$FODList = Import-Csv -Path $filePath -Delimiter ";"

##Set Language (Target)##

$targetLanguage = "es-es"

$sourceLanguage = (($FODList | Where-Object {$_.'Target Lang' -eq

$targetLanguage}) | Where-Object {$_.'Source Lang' -ne $targetLanguage}
| Select-Object -Property 'Source Lang' -Unique).'Source Lang'
if(!($sourceLanguage)){
$sourceLanguage = $targetLanguage
}

$langGroup = (($FODList | Where-Object {$_.'Target Lang' -eq

$targetLanguage}) | Where-Object {$_.'Lang Group:' -ne ""} | Select-
Object -Property 'Lang Group:' -Unique).'Lang Group:'

##List of additional features to be installed##

$additionalFODList = @(
"$LIPContent\Microsoft-Windows-NetFx3-OnDemand-
Package~31bf3856ad364e35~amd64~~.cab",
"$LIPContent\Microsoft-Windows-MSPaint-FoD-
Package~31bf3856ad364e35~amd64~$sourceLanguage~.cab",
"$LIPContent\Microsoft-Windows-SnippingTool-FoD-
Package~31bf3856ad364e35~amd64~$sourceLanguage~.cab",
"$LIPContent\Microsoft-Windows-Lip-
Language_x64_$sourceLanguage.cab" ##only if applicable##
)
 $additionalCapabilityList = @(
"Language.Basic~~~$sourceLanguage~0.0.1.0",
"Language.Handwriting~~~$sourceLanguage~0.0.1.0",
"Language.OCR~~~$sourceLanguage~0.0.1.0",
"Language.Speech~~~$sourceLanguage~0.0.1.0",
"Language.TextToSpeech~~~$sourceLanguage~0.0.1.0"
)

##Install all FODs or fonts from the CSV file###

Dism /Online /Add-Package /PackagePath:$LIPContent\Microsoft-Windows-
Client-Language-Pack_x64_$sourceLanguage.cab
Dism /Online /Add-Package /PackagePath:$LIPContent\Microsoft-Windows-
Lip-Language-Pack_x64_$sourceLanguage.cab
foreach($capability in $additionalCapabilityList){
Dism /Online /Add-Capability /CapabilityName:$capability
/Source:$LIPContent
}

foreach($feature in $additionalFODList){
Dism /Online /Add-Package /PackagePath:$feature
}

if($langGroup){
Dism /Online /Add-Capability
/CapabilityName:Language.Fonts.$langGroup~~~und-$langGroup~0.0.1.0
}

##Add installed language to language list##

$LanguageList = Get-WinUserLanguageList
$LanguageList.Add("$targetlanguage")
Set-WinUserLanguageList $LanguageList -force

７ Note

This example script uses the Spanish (es-es) language code. To automatically
install the appropriate files for a different language change the
$targetLanguage parameter to the correct language code. For a list of
language codes, see Available language packs for Windows.

The script might take a while to finish depending on the number of languages you
need to install. You can also install additional languages after initial setup by
running the script again with a different $targetLanguage parameter.

5. To automatically select the appropriate installation files, download and save the
Available Windows 10 1809 Languages and Features on Demand table as a CSV
file, then save it in the same folder as your PowerShell script.
 6. Once the script is finished running, check to make sure the language packs
installed correctly by going to Start > Settings > Time & Language > Language. If
the language files are there, you're all set.

7. Finally, if the VM is connected to the Internet while installing languages, you'll

need to run a cleanup process to remove any unnecessary language experience
packs. To clean up the files, run these commands:

PowerShell

##Cleanup to prepare sysprep##

Remove-AppxPackage -Package Microsoft.LanguageExperiencePackes-
ES_22000.8.13.0_neutral__8wekyb3d8bbwe

Remove-AppxPackage -Package
Microsoft.OneDriveSync_22000.8.13.0_neutral__8wekyb3d8bbwe

To clean up different language packs, replace "es-ES" with a different language

code.

8. Once you're done with cleanup, disconnect the share.

Finish customizing your image

After you've installed the language packs, you can install any other software you want to
add to your customized image.

Once you're finished customizing your image, you'll need to run the system preparation
tool (sysprep).

To run sysprep:

1. Open an elevated command prompt and run the following command to generalize
the image:

Windows Command Prompt

C:\Windows\System32\Sysprep\sysprep.exe /oobe /generalize /shutdown

2. If you run into any issues, check the SetupErr.log file in your C drive at Windows >
System32 > Sysprep > Panther. After that, follow the instructions in Sysprep fails
with Microsoft Store apps to troubleshoot your setup.

3. If setup is successful, stop the VM, then capture it in a managed image by

following the instructions in Create a managed image of a generalized VM in
 Azure.

4. You can now use the customized image to deploy an Azure Virtual Desktop host
pool. To learn how to deploy a host pool, see Tutorial: Create a host pool with the
Azure portal.

７ Note

When a user changes their display language, they'll need to sign out of their Azure
Virtual Desktop session, then sign back in. They must sign out from the Start menu.

Next steps
Learn how to install language packages for Windows 10 multi-session VMs at Add
language packs to a Windows 10 multi-session image.

For a list of known issues, see Adding languages in Windows 10: Known issues.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Add session hosts to a host pool
Article • 10/22/2024

） Important

The following features are currently in preview:

Azure Virtual Desktop on Azure Stack HCI for Azure Government and for
Azure operated by 21Vianet (Azure in China).

Azure Virtual Desktop on Azure Extended Zones.

Managing session hosts using a session host configuration. This limited

preview is provided as-is, with all faults and as available, and are excluded
from the service-level agreements (SLAs) or any limited warranties Microsoft
provides for Azure services in general availability.

For legal terms that apply to Azure features that are in beta, in preview, or
otherwise not yet released into general availability, see Supplemental Terms of Use
for Microsoft Azure Previews .

After you create a host pool, a workspace, and an application group, you need to add
session hosts to the host pool for your users to connect to. You might also need to add
more session hosts for extra capacity.

When you add session hosts to a host pool, the method you use depends on your host
pool's management approach:

For a host pool using a session host configuration (preview), you use the Azure
portal to specify the number of session hosts you want to add, then Azure Virtual
Desktop automatically creates them based on the session host configuration.

For a host pool using standard management, you can create new virtual machines
(VMs) to use as session hosts and add them to a host pool natively by using the
Azure Virtual Desktop service in the Azure portal. Alternatively, you can create VMs
outside the Azure Virtual Desktop service, such as using an automated pipeline,
the Azure CLI, or Azure PowerShell, and then add them as session hosts to a host
pool separately.

For Azure Stack HCI, you can create new VMs to use as session hosts and add them
to a host pool natively by using the Azure Virtual Desktop service in the Azure
 portal. If you want to create the VMs outside the Azure Virtual Desktop service,
follow the steps in Create Azure Arc virtual machines on Azure Stack HCI, and then
add the VMs as session hosts to a host pool separately.

 Tip

Select a button at the top of this article to choose between host pools using
standard management or host pools using session host configuration to see the
relevant documentation.

This article shows you how to generate a registration key by using the Azure portal, the
Azure CLI, or Azure PowerShell. It also shows you how to add session hosts to a host
pool by using the Azure Virtual Desktop service or add them to a host pool separately.

Prerequisites
For a general idea of what's required, such as supported operating systems, virtual
networks, and identity providers, review the prerequisites for Azure Virtual Desktop. In
addition:

You need an existing host pool with standard management. Each host pool must
only contain session hosts on Azure or on Azure Stack HCI. You can't mix session
hosts on Azure and on Azure Stack HCI in the same host pool.

If you have existing session hosts in the host pool, make a note of the virtual
machine size, the image, and name prefix that you used. All session hosts in a host
pool should have the same configuration, including the same identity provider. For
example, a host pool shouldn't contain some session hosts joined to Microsoft
Entra ID and some session hosts joined to an Active Directory domain.

The Azure account you use must have the following built-in role-based access
control (RBAC) roles or equivalent as a minimum on the resource group:

ﾉ Expand table

Action RBAC role or roles

Generate a registration key for the host pool Desktop Virtualization Host
Pool Contributor

Create and add session hosts by using the Azure portal Desktop Virtualization Host
(Azure and Azure Extended Zones) Pool Contributor
Virtual Machine Contributor
 Action RBAC role or roles

Create and add session hosts by using the Azure portal Desktop Virtualization Host
(Azure Stack HCI) Pool Contributor
Azure Stack HCI VM
Contributor

Don't disable Windows Remote Management (WinRM) when you're creating and
adding session hosts by using the Azure portal. PowerShell DSC requires it.

To add session hosts on Azure Stack HCI, you also need:

An Azure Stack HCI cluster registered with Azure. Your Azure Stack HCI clusters
need to be running a minimum of version 23H2. For more information, see
About Azure Stack HCI, version 23H2 deployment. Azure Arc VM management
is installed automatically.

A stable connection to Azure from your on-premises network.

At least one Windows OS image available on the cluster. For more information,
see how to create VM images by using Azure Marketplace images, use images
in an Azure Storage account, and use images in a local share.

The Azure Connected Machine agent on Azure Stack HCI VMs created outside
the Azure Virtual Desktop service, such as with an automated pipeline. The
virtual machines use the agent to communicate with Azure Instance Metadata
Service, which is a required endpoint for Azure Virtual Desktop.

A logical network that you created on your Azure Stack HCI cluster. DHCP
logical networks or static logical networks with automatic IP allocation are
supported. For more information, see Create logical networks for Azure Stack
HCI.

To deploy session hosts to Azure Extended Zones, you also need:

Your Azure subscription registered with the respective Azure Extended Zone. For
more information, see Request access to an Azure Extended Zone.

An Azure load balancer with an outbound rule on the virtual network to which
you're deploying session hosts. You can use an existing load balancer or you
create a new one when adding session hosts.

If you want to use the Azure CLI or Azure PowerShell locally, see Use the Azure CLI
and Azure PowerShell with Azure Virtual Desktop to make sure you have the
 desktopvirtualization Azure CLI extension or the Az.DesktopVirtualization Azure
PowerShell module installed. Alternatively, use Azure Cloud Shell.

） Important

If you want to create Microsoft Entra joined session hosts, we only support this
using the AADLoginForWindows VM extension, which is added and configured
automatically when using the Azure portal or ARM template with the Azure Virtual
Desktop service.

Generate a registration key

When you add session hosts to a host pool, first you need to generate a registration key
for that host pool. A registration key authorizes session hosts to join the host pool. It's
valid only for the duration that you specify.

To generate a registration key, select the relevant tab for your scenario and follow the
steps.

Azure portal

Here's how to generate a registration key by using the Azure portal:

1. Sign in to the Azure portal .

2. On the search bar, enter Azure Virtual Desktop and select the matching
service entry.

3. Select Host pools, and then select the name of the host pool for which you
want to generate a registration key.

4. On the host pool overview, select Registration key.

5. Select Generate new key, enter an expiration date and time, and then select
OK. The registration key is created.

6. Select Download to download a text file that contains the newly created
registration key, or copy the registration key to your clipboard to use it later.
You can also retrieve the registration key later by returning to the host pool
overview.
Create and register session hosts with the
Azure Virtual Desktop service
You can create session hosts and register them to a host pool in a single end-to-end
process with the Azure Virtual Desktop service by using the Azure portal or an Azure
Resource Manager template (ARM template). You can find some example ARM
templates in this GitHub repo .

） Important

If you want to create virtual machines by using an alternative method outside Azure
Virtual Desktop, such as an automated pipeline, you need to register them
separately as session hosts to a host pool. Skip to the section Register session
hosts to a host pool.

Here's how to create session hosts and register them to a host pool by using the Azure
Virtual Desktop service in the Azure portal. Make sure that you generated a registration
key first.

1. Sign in to the Azure portal .

2. On the search bar, enter Azure Virtual Desktop and select the matching service
entry.

3. Select Host pools, and then select the name of the host pool to which you want to
add session hosts.

4. On the host pool overview, select Session hosts, and then select + Add.

5. The Basics tab is unavailable because you're using the existing host pool. Select
Next: Virtual Machines.

6. On the Virtual machines tab, expand one of the following sections and complete
the information, depending on whether you want to create session hosts on Azure
or on Azure Stack HCI. For guidance on sizing session host virtual machines, see
Session host virtual machine sizing guidelines.

To add session hosts on Azure, expand this section.

ﾉ Expand table
Parameter Value/Description

Resource group This value defaults to the same resource group as your host pool,
but you can select a different one from the dropdown list.

Name prefix Enter a name prefix for your session hosts, such as hp01-sh.

Each session host has a suffix of a hyphen and then a sequential

number added to the end, such as hp01-sh-0.

This name prefix can be a maximum of 11 characters and is used in

the computer name in the operating system. The prefix and the
suffix combined can be a maximum of 15 characters. Session host
names must be unique.

Virtual machine Select the Azure region where you want to deploy your session
location hosts. It must be the same region that contains your virtual network.

Availability options Select from availability zones, availability set, or No infrastructure

redundancy required. If you select availability zones or availability
set, complete the extra parameters that appear.

Security type Select from Standard, Trusted launch virtual machines, or

Confidential virtual machines.

- If you select Trusted launch virtual machines, options for secure

boot and vTPM are automatically selected.

- If you select Confidential virtual machines, options for secure

boot, vTPM, and integrity monitoring are automatically selected.
You can't opt out of vTPM when using a confidential VM.

Image Select the OS image that you want to use from the list, or select See
all images to see more. The full list includes any images that you
created and stored as an Azure Compute Gallery shared image or a
managed image.

Virtual machine Select a size. If you want to use a different size, select Change size,
size and then select from the list.

Hibernate Select the box to enable hibernation. Hibernation is available only

for personal host pools. For more information, see Hibernation in
virtual machines. If you're using Microsoft Teams media
optimizations, you should update the WebRTC redirector service to
1.45.2310.13001.

FSLogix and app attach currently don't support hibernation. Don't

enable hibernation if you're using FSLogix or app attach for your
personal host pools.
Parameter Value/Description

Number of VMs Enter the number of virtual machines that you want to deploy. You
can deploy up to 400 session hosts at this point if you want
(depending on your subscription quota), or you can add more later.

For more information, see Azure Virtual Desktop service limits and
Virtual Machines limits.

OS disk type Select the disk type to use for your session hosts. We recommend
that you use only Premium SSD for production workloads.

OS disk size Select a size for the OS disk.

If you enable hibernation, ensure that the OS disk is large enough to

store the contents of the memory in addition to the OS and other
applications.

Confidential If you're using a confidential VM, you must select the Confidential
computing compute encryption checkbox to enable OS disk encryption.
encryption
This checkbox appears only if you selected Confidential virtual
machines as your security type.

Boot Diagnostics Select whether you want to enable boot diagnostics.

Network and
security

Virtual network Select your virtual network. An option to select a subnet appears.

Subnet Select a subnet from your virtual network.

Network security Select whether you want to use a network security group (NSG).
group
- None doesn't create a new NSG.

- Basic creates a new NSG for the VM network adapter.

- Advanced enables you to select an existing NSG.

We recommend that you don't create an NSG here, but create an

NSG on the subnet instead.

Public inbound You can select a port to allow from the list. Azure Virtual Desktop
ports doesn't require public inbound ports, so we recommend that you
select No.

Domain to join
Parameter Value/Description

Select which Select from Microsoft Entra ID or Active Directory and complete the
directory you relevant parameters for the selected option.
would like to join
To learn more about joining session hosts to Microsoft Entra ID, see
Microsoft Entra joined session hosts.

Virtual Machine
Administrator
account

Username Enter a name to use as the local administrator account for the new
session hosts.

Password Enter a password for the local administrator account.

Confirm password Reenter the password.

Custom
configuration

Custom If you want to run a PowerShell script during deployment, you can
configuration script enter the URL here.
URL

To add session hosts on Azure Stack HCI, expand this section.

ﾉ Expand table

Parameter Value/Description

Resource group This value defaults to the resource group that you chose to contain
your host pool on the Basics tab, but you can select an alternative.

Name prefix Enter a name prefix for your session hosts, such as hp01-sh.

Each session host has a suffix of a hyphen and then a sequential

number added to the end, such as hp01-sh-0.

This name prefix can be a maximum of 11 characters and is used in

the computer name in the operating system. The prefix and the
suffix combined can be a maximum of 15 characters. Session host
names must be unique.

Virtual machine type Select Azure Stack HCI virtual machine.

Custom location In the dropdown list, select the Azure Stack HCI cluster where you
want to deploy your session hosts.
Parameter Value/Description

Images Select the OS image that you want to use from the list, or select
Manage VM images to manage the images available on the cluster
that you selected.

Number of VMs Enter the number of virtual machines that you want to deploy. You
can add more later.

Virtual processor Enter the number of virtual processors that you want to assign to
count each session host. This value isn't validated against the resources
available in the cluster.

Memory type Select Static for a fixed memory allocation, or select Dynamic for a
dynamic memory allocation.

Memory (GB) Enter a number for the amount of memory, in gigabytes, that you
want to assign to each session host. This value isn't validated
against the resources available in the cluster.

Network and
security

Network dropdown Select an existing network to connect each session to.

Domain to join

Select which Active Directory is the only available option.

directory you would
like to join

AD domain join UPN Enter the user principal name (UPN) of an Active Directory user
who has permission to join the session hosts to your domain.

Password Enter the password for the Active Directory user.

Specify domain or Select yes if you want to join session hosts to a specific domain or
unit be placed in a specific organizational unit (OU). If you select no, the
suffix of the UPN is used as the domain.

Virtual Machine
Administrator
account

Username Enter a name to use as the local administrator account for the new
session hosts.

Password Enter a password for the local administrator account.

Confirm password Reenter the password.

To add session hosts on Azure Extended Zones, expand this section.

 ﾉ Expand table

Parameter Value/Description

Resource This value defaults to the resource group that you chose to contain your
group host pool on the Basics tab, but you can select an alternative.

Name prefix Enter a name prefix for your session hosts, such as hp01-sh.

Each session host has a suffix of a hyphen and then a sequential number
added to the end, such as hp01-sh-0.

This name prefix can be a maximum of 11 characters and is used in the

computer name in the operating system. The prefix and the suffix
combined can be a maximum of 15 characters. Session host names must
be unique.

Virtual Select Azure virtual machine.

machine type

Virtual Select Deploy to an Azure Extended Zone.

machine
location

Azure Select the Extended Zone you require.

Extended
Zone

Network and
security

Select a load Select an existing Azure load balancer on the same virtual network you
balancer want to use for your session hosts, or select Create a load balancer to
create a new load balancer.

Select a Select a backend pool on the load balancer you want to use for your
backend pool session hosts. If you're creating a new load balancer, select Create new to
create a new backend pool for the new load balancer.

Add If you're creating a new load balancer, select Create new to create a new
outbound rule outbound rule for it.

After you complete this tab, select Next: Tags.

7. On the Tags tab, you can optionally enter any name/value pairs that you need, and
then select Next: Review + create.

8. On the Review + create tab, ensure that validation passes and review the
information that will be used during deployment. If validation doesn't pass, review
the error message and check what you entered on each tab.
 9. Select Create. After your deployment is complete, the session hosts should appear
in the host pool.

） Important

After you add session hosts by using the Azure Virtual Desktop service, skip to the
section Post-deployment tasks for some extra configuration that you might need
to do.

Register session hosts to a host pool

If you created virtual machines by using an alternative method outside Azure Virtual
Desktop, such as an automated pipeline, you need to register them separately as
session hosts to a host pool.

To register session hosts to a host pool, you need to install the Azure Virtual Desktop
Agent and the Azure Virtual Desktop Agent Boot Loader on each virtual machine and
use the registration key that you generated. You can register session hosts to a host
pool by using the agent installers' graphical user interface (GUI) or by using msiexec
from a command line.

After you finish, four applications are listed as installed applications:

Remote Desktop Agent Boot Loader

Remote Desktop Services Infrastructure Agent
Remote Desktop Services Infrastructure Geneva Agent
Remote Desktop Services SxS Network Stack

Select the relevant tab for your scenario and follow the steps.

GUI

1. Make sure the virtual machines that you want to use as session hosts are
joined to Microsoft Entra ID or an Active Directory domain (Active Directory
Domain Services or Microsoft Entra Domain Services).

2. If your virtual machines are running a Windows Server OS, you need to install
the Remote Desktop Session Host role and then restart the virtual machine. For
more information, see Install roles, role services, and features by using the
Add Roles and Features Wizard.
3. Sign in to your virtual machine as an administrator.

4. Download the installation files for the Agent and the Agent Boot Loader by
using the following links. If you need to unblock them, right-click each file,
select Properties, select Unblock, and finally select OK.

Azure Virtual Desktop Agent

Azure Virtual Desktop Agent Bootloader

 Tip

The Azure Virtual Desktop Agent download link is for the latest
production version in non-validation environments. This download link is
updated after the automatic production rollout is complete, so you might
see a delay between the release of a production version and the update
of the download link. After you install the Azure Virtual Desktop Agent,
it's updated automatically. For more information about the rollout of new
versions of the agent, see What's new in the Azure Virtual Desktop
Agent?.

5. Run the Microsoft.RDInfra.RDAgent.Installer-x64-<version>.msi file to install

the Remote Desktop Services Infrastructure Agent.

6. Follow the prompts. When the installer prompts you for the registration token,
paste it into the text box, which appears on a single line. Select Next, and then
complete the installation.

7. Run the Microsoft.RDInfra.RDAgentBootLoader.Installer-x64-<version>.msi

file to install the remaining components.

8. Follow the prompts and complete the installation.

9. After a short time, the virtual machines are listed as session hosts in the host
pool. The status of the session hosts might initially appear as Unavailable. If a
newer agent version is available, it's upgraded automatically.
 10. After the status of the session hosts is Available, restart the virtual machines.

Post-deployment tasks
After you add session hosts to your host pool, you might need to do some extra
configuration, as described in the following sections.

Licensing

To ensure that your session hosts have licenses applied correctly, you need to do the
following tasks:

If you have the correct licenses to run Azure Virtual Desktop workloads, you can
apply a Windows or Windows Server license to your session hosts as part of Azure
Virtual Desktop and run them without paying for a separate license. This license is
automatically applied when you create session hosts by using the Azure Virtual
Desktop service, but you might have to apply the license separately if you create
session hosts outside Azure Virtual Desktop. For more information, see Apply a
Windows license to session host virtual machines.

If your session hosts are running a Windows Server OS, you also need to issue
them a Remote Desktop Services (RDS) client access license (CAL) from an RDS
license server. For more information, see License your RDS deployment with client
access licenses.

For session hosts on Azure Stack HCI, you must license and activate the virtual
machines before you use them with Azure Virtual Desktop. For activating VMs that
use Windows 10 Enterprise multi-session, Windows 11 Enterprise multi-session,
and Windows Server 2022 Datacenter: Azure Edition, use Azure verification for
VMs. For all other OS images (such as Windows 10 Enterprise, Windows 11
Enterprise, and other editions of Windows Server), you should continue to use
existing activation methods. For more information, see Activate Windows Server
VMs on Azure Stack HCI.

Microsoft Entra joined session hosts

For session hosts on Azure that are joined to Microsoft Entra ID, you also need to enable
single sign-on or earlier authentication protocols, assign an RBAC role to users, and
review your multifactor authentication policies so that users can sign in to the VMs. For
more information, see Microsoft Entra joined session hosts.
Related content
Now that you've expanded your existing host pool, you can sign in to an Azure Virtual
Desktop client to test the hosts as part of a user session. You can connect to a session
by using any of the following clients:

Connect with the Windows desktop client

Connect with the web client
Connect with the Android client
Connect with the macOS client
Connect with the iOS client

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Multimedia redirection for video
playback and calls in a remote session
Article • 10/15/2024

 Tip

This article is shared for services and products that use the Remote Desktop
Protocol (RDP) to provide remote access to Windows desktops and apps.

Select a product using the buttons at the top of this article to show the relevant
content.

Multimedia redirection redirects video playback and calls in a remote session from
Azure Virtual Desktop, a Windows 365 Cloud PC, or Microsoft Dev Box to your local
device for faster processing and rendering. Specifically, these two functions work in the
following ways:

Video playback redirection: optimizes video playback experience for web pages
with embedded videos like YouTube and Facebook. The browser in the remote
session fetches video content, but the bitstream of video data is sent to the local
device where it decodes and renders the video in the correct place on the screen.

Call redirection: optimizes audio calls for WebRTC-based calling apps, reducing
latency, and improving call quality. The connection happens between the local
device and the telephony app server, where WebRTC calls are offloaded from a
remote session to a local device, as shown in the following diagram. However, after
the connection is established, call quality becomes dependent on the web page or
app providers, just as it would with a non-redirected call.
 

There are two components you need to install for multimedia redirection:

Remote Desktop Multimedia Redirection Service

Browser extension for Microsoft Edge or Google Chrome browsers

This article shows you install and configure multimedia redirection in a remote session
from Azure Virtual Desktop, a Windows 365 Cloud PC, or Microsoft Dev Box with
Microsoft Edge or Google Chrome browsers, and manage settings for the browser
extension using Microsoft Intune or Group Policy. Additionally, this article shows you
how to manage settings for the browser extension in Microsoft Edge using the
Microsoft Edge management service.

Later in the article you can find a list of websites that work with multimedia redirection
for video playback and calls.

Prerequisites
Before you can use multimedia redirection, you need:

An existing host pool with session hosts.

Local administrator privilege on your session hosts to install and update the
Remote Desktop Multimedia Redirection Service.

The latest version of Microsoft Edge or Google Chrome installed on your session
hosts.

Microsoft Visual C++ Redistributable 2015-2022, version 14.32.31332.0 or later

installed on your session hosts and local Windows devices. You can download the
 latest version from Microsoft Visual C++ Redistributable latest supported
downloads.

To configure multimedia redirection using Microsoft Intune, you need:

Microsoft Entra ID account that is assigned the Policy and Profile manager built-
in RBAC role.
A group containing the devices you want to configure.

To configure multimedia redirection using Group Policy, you need:

A domain account that has permission to create or edit Group Policy objects.
A security group or organizational unit (OU) containing the devices you want to
configure.

You need to connect to a remote session from one of the following supported
apps and platforms:
Windows App on Windows, version 2.0.297.0 or later.
Remote Desktop app on Windows, version 1.2.5709 or later.

Your local Windows device must meet the hardware requirements for Teams on a
Windows PC.

７ Note

Multimedia redirection isn't supported on Azure Virtual Desktop for Azure US

Government, or Windows 365 for Microsoft 365 Government (GCC), GCC-High
environments, and Microsoft 365 DoD.

Install multimedia redirection on session hosts

There are two components you need to install on your session hosts:

Remote Desktop Multimedia Redirection Service

Browser extension for Microsoft Edge or Google Chrome browsers

You install both the multimedia redirection service and browser extension from a single
.msi file, which you can run manually, use Intune Win32 app management, or your

enterprise deployment tool with msiexec. To install the .msi file:

1. Download the multimedia redirection installer .

2. Make sure Microsoft Edge or Google Chrome isn't running. Check in Task Manager
that there are no instances of msedge.exe or chrome.exe listed in the Details tab.
 3. Install the .msi file using one of the following methods:

To install it manually, open the file that you downloaded to run the setup
wizard, then follow the prompts. After it's installed, select Finish.

Alternatively, use the following command with Intune or your enterprise

deployment tool as an administrator from Command Prompt. This example
specifies there's no UI or user interaction required during the installation
process.

Windows Command Prompt

msiexec /i <path to the MSI file> /qn

After you install the multimedia redirection service and browser extension, next you
need to enable the browser extension.

） Important

The Remote Desktop Multimedia Redirection Service doesn't update automatically.

You need to update the service manually when a new version is available. You can
download the latest version from the same URL in this section and install using the
same steps, which automatically replaces the previous version. For information
about the latest version, see What's new in multimedia redirection.

The browser extension updates automatically when a new version is available.

Enable and manage the browser extension

centrally

 Tip

By default, users are automatically prompted to enable the extension when they
open their browser. This section is optional if you want to enable and manage the
browser extension centrally.

You can enable and manage the browser extension centrally from Microsoft Edge Add-
ons or the Chrome Web Store for all users by using Microsoft Intune or Group Policy, or
the Microsoft Edge management service (for Microsoft Edge only).
Managing the browser extension has the following benefits:

Enable the browser extension silently and without user interaction.

Restrict which web pages use multimedia redirection.
Show or hide advanced settings for the browser extension.
Pin the browser extension to the browser toolbar.

Select the relevant tab for your scenario.

Microsoft Intune

To enable the multimedia redirection browser extension using Microsoft Intune,

expand one of the following sections, depending on which browser you're using:

For Microsoft Edge, expand this section.

1. Sign in to the Microsoft Intune admin center .

2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.

3. In the settings picker, browse to Microsoft Edge > Extensions.


4. Check the box for Configure extension management settings, then close the
settings picker.

5. Expand the Microsoft Edge category, then toggle the switch for Configure
extension management settings to Enabled

6. In the box that appears for Configure extension management settings

(Device), enter the following JSON as a single line string. This example installs
the extension with the required update URL:

JSON

{
"joeclbldhdmoijbaagobkhlpfjglcihd": {
"installation_mode": "force_installed",
"update_url":
"https://edge.microsoft.com/extensionwebstorebase/v1/crx",
}
}

７ Note

You can specify additional parameters to allow or block specific sites for
redirection and to show or hide advanced settings. For more information,
see:

Common policy configuration parameters.

Allow or block video playback redirection for specific domains.
 Enable call redirection for specific domains.

7. Select Next.

8. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.

9. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.

10. On the Review + create tab, review the settings, then select Create.

11. After the policy applies to the computers providing a remote session, restart
them for the settings to take effect.

For Google Chrome, expand this section.

1. Download the administrative template for Google Chrome . Select the

option Chrome ADM/ADMX templates to download the ZIP file.

2. Sign in to the Microsoft Intune admin center .

3. Follow the steps to Import custom ADMX and ADML administrative templates
into Microsoft Intune. You need to import the google.admx and google.adml
first, then import chrome.admx and chrome.adml .

4. After you imported the Google Chrome administrative template, follow the
steps to Create a profile using your imported files

5. In configuration settings, browse to Computer Configuration > Google >

Google Chrome > Extensions.
 

6. Select Extension management settings, which opens a new pane. Scroll to the
end, then select Enabled.

7. In the box, enter the following JSON as a single line string. This example
installs the extension with the required update URL:

JSON

{
"lfmemoeeciijgkjkgbgikoonlkabmlno": {
"installation_mode": "force_installed",
"update_url":
"https://clients2.google.com/service/update2/crx",
}
}
 ７ Note

You can specify additional parameters to allow or block specific sites for
redirection and to show or hide advanced settings. For more information,
see:

Common policy configuration parameters.

Allow or block video playback redirection for specific domains.
Enable call redirection for specific domains.

8. Select OK, then select Next.

9. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.

10. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.

11. On the Review + create tab, review the settings, then select Create.

12. After the policy applies to the computers providing a remote session, restart
them for the settings to take effect.

Common policy configuration parameters

The following sections show some examples of policy configuration parameters for the
browser you can use to manage the multimedia redirection browser extension that are
common for both video playback and call redirection. You can use these examples as
part of the steps in Enable and manage the browser extension centrally. Combine these
examples with the parameters you require for your users.

７ Note

The following examples are for Microsoft Edge. For Google Chrome:

Change joeclbldhdmoijbaagobkhlpfjglcihd to
lfmemoeeciijgkjkgbgikoonlkabmlno .

Change the update_url to https://clients2.google.com/service/update2/crx .

Show or hide the extension on the browser toolbar
You can show or hide the extension icon on the browser toolbar. By default, extension
icons are hidden from the toolbar.

The following example installs the extension and shows the extension icon on the
toolbar by default, but still allows users to hide it. Other values are force_shown and
default_hidden . For more information about configuring extensions for Microsoft Edge,

see A detailed guide to configuring extensions using the ExtensionSettings policy.

JSON

{
"joeclbldhdmoijbaagobkhlpfjglcihd": {
"installation_mode": "force_installed",
"update_url": "https://edge.microsoft.com/extensionwebstorebase/v1/crx",
"toolbar_state": "default_shown"
}
}

Show or hide advanced settings button

You can show or hide the advanced settings button to users in the extension. By default,
the advanced settings button is shown and users have access to toggle each setting on
or off. If you hide the advanced settings button, users can still collect logs.

Here's what the extension looks like when the advanced settings button is hidden:
This example installs the extension and hides the advanced settings button.
Alternatively, to show the advanced settings button, set HideAdvancedSettings to false .

JSON

{
"joeclbldhdmoijbaagobkhlpfjglcihd": {
"installation_mode": "force_installed",
"update_url": "https://edge.microsoft.com/extensionwebstorebase/v1/crx",
"HideAdvancedSettings": true
}
}

Browser extension status

The extension icon changes based on whether multimedia redirection is available on the
current web page and which features are supported. The following table shows the
different states of the extension icon and their definitions:
 ﾉ Expand table

Icon Definition
State

The multimedia redirection extension is loaded, indicating that the website can be
redirected.

The multimedia redirection extension isn't loaded, indicating that content on the web
page isn't redirected.

The multimedia redirection extension is currently redirecting video playback.

The multimedia redirection extension is currently redirecting a call.

The multimedia redirection extension failed to load correctly. You might need to
uninstall and reinstall the extension or the Remote Desktop Multimedia Redirection
Service, then try again.

Video playback redirection

The following sections contain information about how to test video playback redirection
and how you can configure advanced settings.

Websites for video playback redirection

The following websites are known to work with video playback redirection, and which
work by default.

AWS Training

BBC

Big Think
CNBC

Coursera
Daily Mail

Facebook

Fidelity
Fox Sports

Fox Weather
IMDB
 Infosec Institute
LinkedIn Learning

Microsoft Learn
Microsoft Stream

Microsoft Teams live events

Pluralsight
Skillshare

The Guardian
Twitch

Udemy *

UMU
U.S. News

Vimeo
Yahoo

Yammer

YouTube (including sites with embedded YouTube videos).

） Important

Video playback redirection doesn't support protected content. Protected content

can be played without multimedia redirection using regular video playback.

Test video playback redirection

After you enable multimedia redirection, you can test it by visiting a web page with
video playback from the list in Websites for video playback redirection and following
these steps:

1. Open the web page in Microsoft Edge or Google Chrome on your remote session.

2. Select the Microsoft Multimedia Redirection extension icon in the extension bar on
the top-right corner of your browser. If you're on a web page where multimedia
redirection is available, the icon has a blue border (rather than grey), and shows
the message The extension is loaded. For web pages that support video playback
redirection, Video Playback Redirection has a green check mark.
 

3. On the web page, play a video. Check the status of the extension icon that
multimedia redirection is active in your browser, which should look like the
following image:

Microsoft Teams live events

Microsoft Teams live events aren't media-optimized when using the native Teams app in
a remote session. However, if you use Teams live events with a browser that supports
Teams live events and multimedia redirection, multimedia redirection is a workaround
that provides smoother Teams live events playback in a remote session. Multimedia
redirection supports Enterprise Content Delivery Network (ECDN) for Teams live events.

To use multimedia redirection with Teams live events, you must use the web version of
Teams. Multimedia redirection isn't supported with the native Teams app. When you
launch the live event in your browser, make sure you select Watch on the web instead.
The Teams live event should automatically start playing in your browser with multimedia
redirection enabled.
Advanced settings for video playback redirection
The following advanced settings are available for video playback redirection. You can
also hide the advanced settings button from users; for more information, see Show or
hide advanced settings button.

Enable video playback for all sites (beta): By default, video playback redirection is
limited to the sites listed in Websites for video playback redirection. You can
enable video playback redirection for all sites to test the feature with other web
pages. This setting is experimental and might not work as expected.

Video status overlay: When enabled, a short message appears at the top of the
video player that indicates the redirection status of the current video. The message
disappears after five seconds.

Enable redirected video playback overlay: When enabled, a bright highlighted

border appears around the video playback element that is being redirected.

To enable these advanced settings:

1. Select the extension icon in your browser.

2. Select Show Advanced Settings.

 3. Toggle the settings you want to enable to on.

Allow or block video playback redirection for specific

domains
If you configure multimedia redirection using Microsoft Intune or Group Policy, you can
allow or block specific domains for video playback redirection.

７ Note

The following example is for Microsoft Edge. For Google Chrome:

Change joeclbldhdmoijbaagobkhlpfjglcihd to
lfmemoeeciijgkjkgbgikoonlkabmlno .

Change the update_url to https://clients2.google.com/service/update2/crx .

This example installs the extension and allows learn.microsoft.com and youtube.com,
but blocks all other domains. You can use this example as part of the steps in Enable and
manage the browser extension centrally.

JSON

{
"joeclbldhdmoijbaagobkhlpfjglcihd": {
"installation_mode": "force_installed",
"runtime_allowed_hosts": [
"*://*.learn.microsoft.com";"*://*.youtube.com" ],
"runtime_blocked_hosts": [ "*://*" ],
"update_url": "https://edge.microsoft.com/extensionwebstorebase/v1/crx",
"toolbar_state": "default_shown"
}
}

Call redirection
The following sections contain information about how to test call redirection and how
you can configure advanced settings.

Websites for call redirection

The following websites are known to work with call redirection, and which work by
default.
 WebRTC Sample Site
Content Guru Storm App
Twilio Flex
8x8

Test call redirection

After you enable multimedia redirection, you can test it by visiting a web page with
calling from the list in Websites for call redirection and following these steps:

1. Open the web page in Microsoft Edge or Google Chrome on your remote session.

2. Select the Microsoft Multimedia Redirection extension icon in the extension bar on
the top-right corner of your browser. If you're on a web page where multimedia
redirection is available, the icon has a blue border (rather than grey), and shows
the message The extension is loaded. For web pages that support call redirection,
Call Redirection has a green check mark.

3. On the web page, make a call. Check the status of the extension icon that
multimedia redirection is active in your browser, which should look like the
following image:
Enable call redirection for specific domains
If you configure multimedia redirection using Microsoft Intune or Group Policy, you can
enable one or more domains for call redirection. This parameter enables you to specify
extra sites in addition to the Websites for call redirection. The supported format is the
fully qualified domain name (FQDN) with up to one subdirectory. The following formats
are supported:

contoso.com

conferencing.contoso.com
contoso.com/conferencing

The following formats aren't supported:

www.contoso.com

contoso.com/conferencing/groups

contoso.com/

７ Note

The following example is for Microsoft Edge. For Google Chrome:

Change joeclbldhdmoijbaagobkhlpfjglcihd to
lfmemoeeciijgkjkgbgikoonlkabmlno .

Change the update_url to https://clients2.google.com/service/update2/crx .

This example installs the extension and adds calling sites contoso.com ,
conferencing.contoso.com , and contoso.com/conferencing , which are separated by a

semicolon ; :

JSON

{
"joeclbldhdmoijbaagobkhlpfjglcihd": {
"installation_mode": "force_installed",
"AllowedCallRedirectionSites":
"contoso.com;conferencing.contoso.com;contoso.com/conferencing",
"update_url": "https://edge.microsoft.com/extensionwebstorebase/v1/crx",
"toolbar_state": "default_shown"
 }
}

Enable call redirection for all sites for testing

You can enable call redirection for all sites to allow you to test web pages that aren't
listed in Websites for call redirection. This setting is experimental and can be useful
when developing integration of your website with call redirection.

To enable call redirection for all sites:

1. On a local Windows device, add the following registry key and value:

Key: HKEY_CURRENT_USER\Software\Microsoft\MMR
Type: REG_DWORD
Value: AllowCallRedirectionAllSites
Data: 1

2. Connect to a remote session and load a web browser, then select the extension
icon in your browser.

3. Select Show Advanced Settings.

4. Toggle Enable call redirection for all sites (experimental) to on.

Next step
To troubleshoot issues or view known issues, see our troubleshooting article.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Developer integration with multimedia
redirection for WebRTC-based calling
apps in a remote session
Article • 10/15/2024

Multimedia redirection redirects video playback and calls in a remote session from
Azure Virtual Desktop, a Windows 365 Cloud PC, or Microsoft Dev Box to your local
device for faster processing and rendering.

Call redirection optimizes audio calls for WebRTC-based calling apps, reducing latency,
and improving call quality. The connection happens between the local device and the
telephony app server, where WebRTC calls are offloaded from a remote session to a
local device. After the connection is established, call quality becomes dependent on the
web page or app providers, just as it would with a non-redirected call.

Call redirection can work with most WebRTC-based calling apps without modifications.
However, there might be unsupported scenarios or you might want to provide a
different experience in a remote session.

This article provides information about supported API interfaces and instance methods,
and shows JavaScript code snippets that you can use with the mediaDevices property of
the Navigator interface .

The navigator interface is part of the Media Capture and Streams API to integrate your
website with call redirection. Together with the WebRTC API , these APIs provide
support for streaming audio and video data with WebRTC-based calling apps.
Multimedia redirection replaces the implementation of the mediaDevices object in the
APIs to detect call redirection, handle disconnection and reconnection events, and
collect diagnostic information.

 Tip

When you want to test your integration with multimedia redirection, you can
enable call redirection to be available for all websites. For more information, see
Enable call redirection for all sites for testing.

Supported API interfaces and instance methods

Call redirection is designed to seamlessly replace standard WebRTC usage with an
implementation that redirects calls from a remote session to the local device.

Here's a list of the supported interfaces and instance methods used by call redirection
from the Media Capture and Streams API and WebRTC API :

AnalyserNode
AudioContext
HTMLAudioElement
MediaDevices
enumerateDevices
getUserMedia
MediaStream
MediaStreamAudioDestinationNode
MediaStreamAudioSourceNode
MediaStreamTrack
RTCDataChannel
RTCPeerConnection
RTCRtpReceiver
RTCRtpSender
RTCRtpTransceiver

Known limitations
Call redirection has the following API limitations:

Only a limited number of WebAudio nodes are supported currently.

setSinkId on an HTMLAudioElement works for WebRTC srcObject tracks, however

any local playback, such as a ringtone, always plays on the default audio output of
the remote session.

As some APIs return synchronously under normal conditions but have to be

proxies when used with call redirection, it's possible that the state of an object isn't
available immediately.

Detect call redirection

To detect whether call redirection is active, you can check the isCallRedirectionEnabled
property of the MediaDevices object. If this property is true , call redirection is active. If
this property is undefined or false , call redirection isn't active.
 JavaScript

window.navigator.mediaDevices['isCallRedirectionEnabled'] = true;

Detect disconnection from a remote session

When a user disconnects and reconnects to a remote session when using call redirection
on a web page, the local WebRTC instance that supported the objects is no longer
available. Typically, if a user refreshes the page, they're able to make calls again.

The web page can detect and handle these disconnect and reconnect events by tearing
down and recreating all WebRTC objects, audio or video elements, and MediaStream or
MediaStreamTrack interfaces. This approach eliminates the need to refresh the web page.

To get notified of these events, register the rdpClientConnectionStateChanged event on

the MediaDevices object, as shown in the following example. This event contains the
new state, which can be either connected or disconnected .

JavaScript

navigator.mediaDevices.addEventListener('rdpClientConnectionStateChanged',
() =>
console.log("state change: " + event.detail.state);
);

Call redirection diagnostics

The following example lists the properties exposed on the MediaDevices object. They
provide specific diagnostic info about the versions of call redirection being used and
session identifiers. This information is useful when reporting issues to Microsoft and we
recommend you collect it as part of your own telemetry or diagnostics data.

JavaScript

window.navigator.mediaDevices['mmrClientVersion'];
window.navigator.mediaDevices['mmrHostVersion'];
window.navigator.mediaDevices['mmrExtensionVersion'];

window.navigator.mediaDevices['activityId'];
window.navigator.mediaDevices['connectionId'];

Here's what each property represents:

 mmrClientVersion: the version of the file MsMmrDVCPlugin.dll on the local
machine, which comes as part of Windows App and the Remote Desktop app.

mmrHostVersion: the version of the file MsMMRHost.exe installed on the session

host, Cloud PC, or dev box.

mmrExtensionVersion: the version of the Microsoft Multimedia Redirection

extension running in the browser.

activityId: a unique identifier that Microsoft uses to associate telemetry to a

specific session and maps to current web page multimedia redirection is
redirecting.

connectionId: a unique identifier that Microsoft uses to associate telemetry to a

specific session and relates to the given connection between the local device and
the remote session.

All of this information is available to the end user in the details of the browser extension,
but this example provides a programmatic way to collect it.

Call redirection logs

By default, multimedia redirection doesn't log to the console. The browser extension has
a button to for users to collect logs. The following example shows how you can enable
console logs programmatically. You might want to do enable console logs
programmatically if you're working on integration or capturing an issue that requires
longer running logs than the option in the browser extension interface provides.

JavaScript

window.navigator.mediaDevices['mmrConsoleLoggingEnabled'] = true;

You might also want to programmatically collect multimedia redirection logs to aid in
investigations. All logs for the web page are also available by registering for the
mmrExtensionLog event on the document.

The event object has two properties under detail:

Level: denotes what kind of trace the entry is and allows you to filter for specific
events. Level is one of the following values:
info
verbose
warning
 error

Message: the text-based trace message.

The following example shows how to register for the mmrExtensionLog event:

JavaScript

document.addEventListener('mmrExtensionLog', () =>
console.log("MMR event, level:" + event.detail.level + " : " +
event.detail.message);
);

Related content
Learn more about Multimedia redirection for video playback and calls in a remote
session.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Graphics encoding over the Remote
Desktop Protocol
Article • 10/23/2024

Graphics data from a remote session is transmitted to a local device via the Remote
Desktop Protocol (RDP). The process involves encoding the graphics data on the remote
virtual machine before sending it to the local device. Each frame is processed based on
its content, passing through image processors, a classifier, and a codec, before being
delivered to the local device using RDP's graphics transport.

The aim of encoding and transmitting graphics data is to provide optimal performance
and quality, with an experience that is the same as using a device locally. This process is
important when using Azure Virtual Desktop, Cloud PCs in Windows 365, and Microsoft
Dev Box, where users expect a high-quality experience when working remotely.

RDP uses a range of features and techniques to process and transmit graphics data that
make it suitable for a wide range of scenarios, such as office productivity, video
playback, and gaming. These features and techniques include:

Hardware and software-based encoding: uses the CPU or GPU to encode graphics
data.

Hardware-acceleration encoding: offloads the processing of graphics encoding

from the CPU to the GPU on a remote virtual machine with a discrete GPU. A
GPU provides better performance for graphics-intensive applications, such as
3D modeling or high-definition video editing.

Software encoding: uses the CPU to encode graphics data at a low cost.
Software encoding is the default encoding profile used on a remote virtual
machine without a discrete GPU.

Mixed-mode: separates text and image encoding using different codecs to provide
the best quality and lowest encoding cost for each type of content. Mixed-mode is
only available with software encoding.

Adaptive graphics: adjusts the encoding quality based on the available bandwidth
and the content of the screen.

Full-screen video encoding: provides a higher frame rate and better user
experience.
 Delta detection and caching: reduces the amount of data that needs to be
transmitted.

Multiple codec support: uses hardware decoders on a local device. Codecs include
the Advanced Video Coding (AVC) video codec, also known as H.264, and the High
Efficiency Video Coding (HEVC) video codec, also known as H.265. HEVC/H.265
support is in preview and requires a compatible GPU-enabled remote virtual
machine.

4:2:0 and 4:4:4 chroma subsampling: provides a balance between image quality
and bandwidth usage.

You can use a combination of these features and techniques depending on the available
resources of the remote session, local device, and network, and the user experience you
want to provide.

This article describes the process of encoding and delivering graphics data over RDP
using some of these features and techniques.

 Tip

We recommend you use multimedia redirection where possible, which redirects

video playback to the local device. Multimedia redirection provides a better user
experience for video playback by sending the bitstream of video data to the local
device where it decodes and renders the video in the correct place on the screen.
This method also lowers processing cost on the remote virtual machine regardless
of encoding configuration. To learn more, see Multimedia redirection for video
playback and calls in a remote session.

Mixed-mode
By default, graphics data is separated depending on its content. Text and images are
encoded using a mix of codecs to achieve optimal encoding performance across
different content types when using software encoding only. This process is known as
mixed-mode.

On average, approximately 80% of the graphics data for a remote session is text. In
order to provide the lowest encoding cost and best quality for text, RDP uses a custom
codec that's optimized for text. Due to image content being more challenging to
encode effectively, it's critical to use a codec that adapts well to available bitrate.

The rest of the content is separated to images and video:

 Images are software encoded with either AVC/H.264 or RemoteFX graphics,
depending on the capabilities of the local device and if multimedia redirection is
enabled. AVC/H.264 encoding of images isn't available when using multimedia
redirection.

Video is software encoded with AVC/H.264.

AVC/H.264 is a widely supported codec that has good compression ratio for images, is
capable of progressive encoding, and has ability to adjust quality based on bitrate. It
relies on the hardware decoder on the local device, which is widely supported on
modern devices. Using the hardware decoder on the local device reduces the CPU usage
on the local device and provides a better user experience. Check with the device
manufacturer to ensure that it supports AVC/H.264 hardware decoding.

The following diagram shows the process of encoding and delivering graphics data over
RDP using mixed-mode in a software encoding scenario:

Remote session

Video detector

Image
processors

Delta detection
Motion detection
Cache

Image classifier

Image codec Text codec Video codec

AVC/H.264 Custom AVC/H.264
or RemoteFX

Graphics channel

Local device 

This process is described as follows:

 1. A frame bitmap is first processed by detecting whether it contains video. If it does
contain video, the frame is sent to the video codec, which in a software-based
scenario is encoded with AVC/H.264, and then the frame passes to the graphics
channel.

2. If the frame doesn't contain video, the image processors determine if there are
delta changes, motion is detected, or if content is available in the cache. If the
content matches certain criteria, the frame passes to the graphics channel.

3. If the frame needs further processing, the image classifier determines whether it
contains text or images.

4. Text and images are encoded using different codecs to provide the best quality
and lowest encoding cost for each type of content. Once encoded, the frame
passes to the graphics channel.

Instead of using two separate codecs for text and images with mixed-mode, you can
enable full-screen video encoding to process all screen content using the AVC/H.264
video codec.

Full-screen video encoding

Full-screen video encoding is useful for scenarios where the screen content is largely
image based and is used as an alternative to mixed-mode. Full-screen video encoding
processes all graphics data with either AVC/H.264 or HEVC/H.265. As a result, it performs
worse than mixed-mode encoding when the screen content is largely text based.

A full-screen video profile provides a higher frame rate and better user experience, but
uses more network bandwidth and resources on both the remote virtual machine and
local device. It benefits applications such as 3D modeling, CAD/CAM, or video playback
and editing.

If you enable both HEVC/H.265 and AVC/H.264 hardware acceleration, but HEVC/H.265
isn't available on the local device, AVC/H.264 is used instead. HEVC/H.265 allows for 25-
50% data compression compared to AVC/H.264, at the same video quality, or improved
quality, at the same bitrate.

You can enable full-screen video encoding with AVC/H.264 even without GPU
acceleration, but HEVC/H.265 requires a compatible GPU-enabled remote virtual
machine.

To learn more, see Enable GPU acceleration for Azure Virtual Desktop.
Hardware GPU acceleration
Azure Virtual Desktop, Cloud PCs in Windows 365, and Microsoft Dev Box support
graphics processing unit (GPU) acceleration in rendering and encoding for improved
app performance and scalability using the Remote Desktop Protocol (RDP). GPU
acceleration is crucial for graphics-intensive applications, such as those used by graphic
designers, video editors, 3D modelers, data analysts, or visualization specialists.

There are two components to GPU acceleration that work together to improve the user
experience:

GPU-accelerated application rendering: Use the GPU to render graphics in a

remote session.

GPU-accelerated frame encoding: RDP encodes all graphics rendered for

transmission to the local device. When part of the screen is frequently updated, it's
encoded with AVC/H.264.

If the screen content in your workloads is largely image based, you can also enable full-
screen video encoding to process all screen content to provide a higher frame rate and
better user experience.

To learn more, see Enable GPU acceleration.

Chroma subsampling support for 4:2:0 and

4:4:4
The chroma value determines the color space used for encoding. By default, the chroma
value is set to 4:2:0, which provides a good balance between image quality and network
bandwidth. When you use AVC/H.264, you can increase the chroma value to 4:4:4 to
improve image quality, but it also increases network bandwidth. You don't need to use
GPU acceleration to change the chroma value.

To learn more, see Increase the chroma value to 4:4:4 using the Advanced Video Coding
(AVC) video codec.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Enable GPU acceleration for Azure
Virtual Desktop
Article • 09/19/2024

） Important

High Efficiency Video Coding (H.265) hardware acceleration is currently in preview.

See the Supplemental Terms of Use for Microsoft Azure Previews for legal
terms that apply to Azure features that are in beta, preview, or otherwise not yet
released into general availability.

Azure Virtual Desktop supports graphics processing unit (GPU) acceleration in rendering
and encoding for improved app performance and scalability using the Remote Desktop
Protocol (RDP). GPU acceleration is crucial for graphics-intensive applications, such as
those used by graphic designers, video editors, 3D modelers, data analysts, or
visualization specialists.

There are three components to GPU acceleration in Azure Virtual Desktop that work
together to improve the user experience:

GPU-accelerated application rendering: Use the GPU to render graphics in a

remote session.

GPU-accelerated frame encoding: The Remote Desktop Protocol encodes all

graphics rendered for transmission to the local device. When part of the screen is
frequently updated, it's encoded with the Advanced Video Coding (AVC) video
codec, also known as H.264.

Full-screen video encoding: A full-screen video profile provides a higher frame

rate and better user experience, but uses more network bandwidth and both
session host and client resources. It benefits applications such as 3D modeling,
CAD/CAM, or video playback and editing. You can choose to encode it with:
AVC/H.264.
High Efficiency Video Coding (HEVC), also known as H.265. This allows for 25-
50% data compression compared to AVC/H.264, at the same video quality or
improved quality at the same bitrate.

７ Note
 If you enable both HEVC/H.265 and AVC/H.264 hardware acceleration, but
HEVC/H.265 isn't available on the local device, AVC/H.264 is used instead.

You can enable full-screen video encoding with AVC/H.264 even without GPU
acceleration, but HEVC/H.265 requires a compatible GPU-enabled remote
virtual machine.

You can also increase the default chroma value to improve the image quality.

This article shows you which Azure VM sizes you can use as a session host with GPU
acceleration, and how to enable GPU acceleration for rendering and encoding.

Supported GPU-optimized Azure VM sizes

The following table lists which Azure VM sizes are optimized for GPU acceleration and
supported as session hosts in Azure Virtual Desktop:

ﾉ Expand table

Azure VM size GPU-accelerated GPU-accelerated frame Full-screen video

application rendering encoding encoding

NVv3-series Supported AVC/H.264 HEVC/H.265

AVC/H.264

NVv4-series Supported Not available Supported

NVadsA10 v5- Supported AVC/H.264 HEVC/H.265

series AVC/H.264

NCasT4_v3- Supported AVC/H.264 HEVC/H.265

series AVC/H.264

The right choice of VM size depends on many factors, including your particular
application workloads, desired quality of user experience, and cost. In general, larger
and more capable GPUs offer a better user experience at a given user density. Smaller
and fractional GPU sizes allow more fine-grained control over cost and quality.

VM sizes with an NVIDIA GPU come with a GRID license that supports 25 concurrent
users.

） Important
 Azure NC, NCv2, NCv3, ND, and NDv2 series VMs aren't generally appropriate as
session hosts. These VM sizes are tailored for specialized, high-performance
compute or machine learning tools, such as those built with NVIDIA CUDA. They
don't support GPU acceleration for most applications or the Windows user
interface.

Prerequisites
Before you can enable GPU acceleration, you need:

An existing host pool with session hosts using a supported GPU-optimized Azure
VM size for the graphics features you want to enable. Supported graphics drivers
are listed in Install supported graphics drivers in your session hosts.

To configure Microsoft Intune, you need:

Microsoft Entra ID account that is assigned the Policy and Profile manager built-
in RBAC role.
A group containing the devices you want to configure.

To configure Group Policy, you need:

A domain account that has permission to create or edit Group Policy objects.
A security group or organizational unit (OU) containing the devices you want to
configure.

In addition, for HEVC/H.265 hardware acceleration you also need:

Session hosts must be running Windows 10 or Windows 11.

A desktop application group. RemoteApp isn't supported.

If you increased the chroma value to 4:4:4, the chroma value falls back to 4:2:0
when using HEVC hardware acceleration.

Disable multimedia redirection on your session hosts by uninstalling the host

component.

The Administrative template for Azure Virtual Desktop available in Group Policy to
configure your session hosts.

A local Windows device you use to connect to a remote session must have:

A GPU that has HEVC (H.265) 4K YUV 4:2:0 decode support. For more
information, see the manufacturer's documentation. Here are some links to
documentation for some manufacturers:
 NVIDIA
AMD
Intel

Microsoft HEVC codec installed. The Microsoft HEVC codec is included in clean
installs of Windows 11 22H2 or later. You can also purchase the Microsoft HEVC
codec from the Microsoft Store .

One of the following apps to connect to a remote session. Other platforms and
versions aren't supported.
Windows App on Windows, version 1.3.278.0 or later.
Remote Desktop app on Windows, version 1.2.4671.0 or later.

Install supported graphics drivers in your

session hosts
To take advantage of the GPU capabilities of Azure N-series VMs in Azure Virtual
Desktop, you must install the appropriate graphics drivers. Follow the instructions at
Supported operating systems and drivers to learn how to install drivers.

） Important

Only Azure-distributed drivers are supported.

When installing drivers, here are some important guidelines:

For VMs sizes with an NVIDIA GPU, only NVIDIA GRID drivers support GPU
acceleration for most applications and the Windows user interface. NVIDIA CUDA
drivers don't support GPU acceleration for these VM sizes. To download and learn
how to install the driver, see Install NVIDIA GPU drivers on N-series VMs running
Windows and be sure to install the GRID driver. If you install the driver by using the
NVIDIA GPU Driver Extension, the GRID driver is automatically installed for these
VM sizes.
For HEVC/H.265 hardware acceleration, you must use NVIDIA GPU driver GRID
16.2 (537.13) or later.

For VMs sizes with an AMD GPU, install the AMD drivers that Azure provides. To
download and learn how to install the driver, see Install AMD GPU drivers on N-
series VMs running Windows.
Enable GPU-accelerated application rendering,
frame encoding, and full-screen video
encoding
By default, remote sessions are rendered with the CPU and don't use available GPUs.
You can enable GPU-accelerated application rendering, frame encoding, and full-screen
video encoding using Microsoft Intune or Group Policy.

Select the relevant tab for your scenario.

Microsoft Intune

） Important

HEVC/H.265 hardware acceleration isn't available in the Intune Settings

Catalog yet.

To enable GPU-accelerated application rendering using Intune:

1. Sign in to the Microsoft Intune admin center .

2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.

3. In the settings picker, browse to Administrative templates > Windows

Components > Remote Desktop Services > Remote Desktop Session Host >
Remote Session Environment.
 

4. Select the following settings, then close the settings picker:

a. For GPU-accelerated application rendering, check the box for Use hardware
graphics adapters for all Remote Desktop Services sessions.

b. For GPU accelerated frame encoding, check the box for Configure
H.264/AVC hardware encoding for Remote Desktop connections.

c. For full-screen video encoding, check the box for Prioritize H.264/AVC 444
Graphics mode for Remote Desktop connections.

5. Expand the Administrative templates category, then set toggle the switch for
each setting as follows:

a. For GPU-accelerated application rendering, set Use hardware graphics

adapters for all Remote Desktop Services sessions to Enabled.

b. For GPU accelerated frame encoding, set Configure H.264/AVC hardware

encoding for Remote Desktop connections to Enabled.

c. For full-screen video encoding, set Prioritize H.264/AVC 444 Graphics

mode for Remote Desktop connections to Enabled.

6. Select Next.

7. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.
 8. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.

9. On the Review + create tab, review the settings, then select Create.

10. After the policy applies to the computers providing a remote session, restart
them for the settings to take effect.

Verify GPU acceleration

To verify that a remote session is using GPU acceleration, GPU-accelerated application
rendering, frame encoding, or full-screen video encoding:

1. If you want to verify HEVC/H.265 hardware acceleration, complete the following

extra steps:

a. Make sure the local Windows device has the Microsoft HEVC codec installed by
opening a PowerShell prompt and run the following command:

PowerShell

Get-AppxPackage -Name "Microsoft.HEVCVideoExtension" | FT Name,

Version

The output should be similar to the following output:

Output

Name Version
---- -------
Microsoft.HEVCVideoExtension 2.1.1161.0

b. Make sure multimedia redirection is disabled on the session host if you're using
it.

2. Connect to one of the session hosts you configured, either through Azure Virtual
Desktop or a direct RDP connection.

3. Open an application that uses GPU acceleration and generate some load for the
GPU.

4. Open Task Manager and go to the Performance tab. Select the GPU to see
whether the GPU is being utilized by the application.
 

 Tip

For NVIDIA GPUs, you can also use the nvidia-smi utility to check for GPU
utilization when running your application. For more information, see Verify
driver installation.

5. Open Event Viewer from the start menu, or run eventvwr.msc from the command
line.

6. Navigate to one of the following locations:

a. For connections through Azure Virtual Desktop, go to Applications and

Services Logs > Microsoft > Windows > RemoteDesktopServices-
RdpCoreCDV > Operational.

b. For connections through a direct RDP connection, go to Applications and

Services Logs > Microsoft > Windows > RemoteDesktopServices-RdpCoreTs
> Operational.

7. Look for the following event IDs:

Event ID 170: If you see AVC hardware encoder enabled: 1 in the event text,
GPU-accelerated frame encoding is in use.
 Event ID 162:
If you see AVC available: 1, Initial Profile: 2048 in the event text, GPU-
accelerated frame encoding with AVC/H.264 and full-screen video
encoding is in use.
If you see AVC available: 1, Initial Profile: 32768 in the event text, GPU-
accelerated frame encoding with HEVC/H.265 is in use.

Related content
Increase the default chroma value to improve the image quality.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Increase the chroma value to 4:4:4 for
Azure Virtual Desktop using the
Advanced Video Coding (AVC) video
codec
Article • 09/19/2024

The chroma value determines the color space used for encoding. By default, the chroma
value is set to 4:2:0, which provides a good balance between image quality and network
bandwidth. When you use the Advanced Video Coding (AVC) video codec, you can
increase the chroma value to 4:4:4 to improve image quality. You don't need to use GPU
acceleration to change the chroma value.

This article shows you how to set the chroma value. You can use Microsoft Intune or
Group Policy to configure your session hosts.

Prerequisites
Before you can configure the chroma value, you need:

An existing host pool with session hosts.

To configure Microsoft Intune, you need:

Microsoft Entra ID account that is assigned the Policy and Profile manager built-
in RBAC role.

A group containing the devices you want to configure.

To configure Group Policy, you need:

A domain account that is a member of the Domain Admins security group.

A security group or organizational unit (OU) containing the devices you want to
configure.

Increase the chroma value to 4:4:4

By default, the chroma value is set to 4:2:0. You can increase the chroma value to 4:4:4
using Microsoft Intune or Group Policy.
Select the relevant tab for your scenario.

Microsoft Intune

To increase the chroma value to 4:4:4 using Microsoft Intune:

1. Sign in to the Microsoft Intune admin center .

2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.

3. In the settings picker, browse to Administrative templates > Windows

Components > Remote Desktop Services > Remote Desktop Session Host >
Remote Session Environment.

4. Check the box for the following settings, then close the settings picker:

a. Prioritize H.264/AVC 444 Graphics mode for Remote Desktop

connections

b. Configure image quality for RemoteFX Adaptive Graphics

5. Expand the Administrative templates category, then set each setting as

follows:

a. Set toggle the switch for Prioritize H.264/AVC 444 Graphics mode for
Remote Desktop connections to Enabled.
 b. Set toggle the switch for Configure image quality for RemoteFX Adaptive
Graphics to Enabled, then for Image quality: (Device), select High.

6. Select Next.

7. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.

8. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.

9. On the Review + create tab, review the settings, then select Create.

10. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.

Verify a remote session is using a chroma value

of 4:4:4
To verify that a remote session is using a chroma value of 4:4:4, you need to open an
Azure support request with Microsoft Support who can verify the chroma value from
telemetry.

Related content
Configure GPU acceleration

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Windows Enterprise multi-session
FAQ
FAQ

This article answers frequently asked questions and explains best practices for Windows
10 Enterprise multi-session and Windows 11 Enterprise multi-session.

What is Windows Enterprise multi-

session?
Windows 10 Enterprise multi-session and Windows 11 Enterprise multi-session, allows
multiple concurrent interactive sessions. Previously, only Windows Server could do this.
This capability gives users a familiar Windows experience while IT can benefit from the
cost advantages of multi-session and use existing per-user Windows licensing instead of
RDS Client Access Licenses (CALs). For more information about licenses and pricing, see
Azure Virtual Desktop pricing .

How many users can simultaneously

have an interactive session on Windows
Enterprise multi-session?
How many interactive sessions that can be active at the same time relies on your
system's hardware resources (vCPU, memory, disk, and vGPU), how your users use their
apps while signed in to a session, and how heavy your system's workload is. We suggest
you validate your system's performance to understand how many users you can have on
Windows Enterprise multi-session. To learn more, see Azure Virtual Desktop pricing .

Why does my application report

Windows Enterprise multi-session as a
Server operating system?
Windows Enterprise multi-session is a virtual edition of Windows Enterprise. One of the
differences is that this operating system (OS) reports the ProductType as having a value
of 3, the same value as Windows Server. This property keeps the OS compatible with
existing RDSH management tooling, RDSH multi-session-aware applications, and mostly
low-level system performance optimizations for RDSH environments. Some application
installers can block installation on Windows multi-session depending on whether they
detect the ProductType is set to Client. If your app won't install, contact your application
vendor for an updated version.

Can I run Windows Enterprise multi-

session outside of the Azure Virtual
Desktop service?
We don't allow customers to run Windows Enterprise multi-session in production
environments outside of the Azure Virtual Desktop service. Only Microsoft or the Azure
Virtual Desktop Approved Providers, Citrix and VMware, can provide access to the Azure
Virtual Desktop service. It's against the licensing agreement to run Windows multi-
session outside of the Azure Virtual Desktop service for production purposes. Windows
multi-session also won’t activate against on-premises Key Management Services (KMS).

Can I upgrade a Windows VM to

Windows Enterprise multi-session?
No. It's not currently possible to upgrade an existing virtual machine (VM) that's running
Windows Professional or Enterprise to Windows Enterprise multi-session. Also, if you
deploy a Windows Enterprise multi-session VM and then update the product key to
another edition, you won't be able to switch the VM back to Windows Enterprise multi-
session and will need to redeploy the VM. Changing your Azure Virtual Desktop VM SKU
to another edition is not supported.

Does Windows Enterprise multi-session

support Remote Desktop IP
Virtualization?
No. Azure Virtual Desktop supported virtual machine OS images do not support Remote
Desktop IP Virtualization.
How do I customize the Windows
Enterprise multi-session image for my
organization?
You can start a VM in Azure with Windows Enterprise multi-session and customize it by
installing LOB applications, sysprep/generalize, and then create an image using the
Azure portal.

To get started, create a VM in Azure with Windows Enterprise multi-session. Instead of

starting the VM in Azure, you can download the VHD directly. After that, you'll be able
to use the VHD you downloaded to create a new Generation 1 VM on a Windows PC
with Hyper-V enabled.

Customize the image to your needs by installing LOB applications and sysprep the
image. When you're done customizing, upload the image to Azure with the VHD inside.
After that, get Azure Virtual Desktop from the Azure Marketplace and use it to deploy a
new host pool with the customized image.

How do I manage Windows Enterprise

multi-session after deployment?
You can use any supported configuration tool, but we recommend Configuration
Manager version 1906 because it supports Windows Enterprise multi-session or
Microsoft Intune for Microsoft Entra joined or Microsoft Entra hybrid joined session
hosts.

Can Windows Enterprise multi-session

be Microsoft Entra joined?
Windows Enterprise multi-session can be Microsoft Entra joined. To get started, follow
the steps to Deploy Microsoft Entra joined virtual machines.

Where can I find the Windows

Enterprise multi-session image and
what does it include?
Windows Enterprise multi-session can be conveniently selected in the Azure Virtual
Desktop management interface while managing your environment. When needed, you
can navigate to Azure Marketplace , search for the Windows 10 or Windows 11
offering, and select Windows Enterprise multi-session plan. For an image integrated
with Microsoft 365 Apps for Enterprise, search with keyword multi-session to get to this
offering. The marketplace images are updated monthly after the security patch release
schedule of Windows Servicing & Delivery. The images with Microsoft 365 apps pre-
installed are made available in the marketplace around the middle of the 3rd week of
the month:

Windows 10 and 11 updates

Microsoft 365 Apps security updates and feature updates
Windows 365 gallery images include the latest Monthly Enterprise Channel
release with the latest security updates.
Microsoft Teams updates

Additionally, FSLogix comes pre-installed on all available Windows Enterprise multi-

session images. To configure FSLogix, see Configuration options - FSLogix | Microsoft
Learn.

） Important

All named applications that come pre-installed are the latest version that is
available the 2nd Tuesday of that month. Any app updates after that day can only
be considered in the image update in the upcoming month.

Which Windows Enterprise multi-

session versions are supported?
Windows Enterprise multi-session, versions 1909 and later are supported and are
available in the Azure gallery. These releases follow the same support lifecycle policy as
Windows Enterprise, which means the March release is supported for 18 months and the
September release for 30 months.

Which profile management solution

should I use for Windows Enterprise
multi-session?
We recommend you use FSLogix profile containers when you configure Windows
Enterprise in non-persistent environments or other scenarios that need a centrally
stored profile. FSLogix ensures the user profile is available and up-to-date for every user
session. We also recommend you use your FSLogix profile container to store a user
profile in any SMB share with appropriate permissions, but you can store user profiles in
Azure page blob storage if necessary. Azure Virtual Desktop users can use FSLogix at no
additional cost. FSLogix comes pre-installed on all Windows Enterprise multi-session
images, but the IT admin is still responsible for configuring the FSLogix profile container.

For more information about how to configure an FSLogix profile container, see
Configure the FSLogix profile container.

Which license do I need to access

Windows Enterprise multi-session?
For a full list of applicable licenses, see Azure Virtual Desktop pricing .

Why do my apps disappear after I sign

out?
This happens because you're using Windows Enterprise multi-session with a profile
management solution like FSLogix. Your admin or profile solution configured your
system to delete user profiles when users sign out. This configuration means that when
your system deletes your user profile after you sign out, it also removes any apps you
installed during your session. If you want to keep the apps you installed, you'll need to
ask your admin to provision these apps for all users in your Azure Virtual Desktop
environment.

How do I make sure apps don't

disappear when users sign out?
Most virtualized environments are configured by default to prevent users from installing
additional apps to their profiles. If you want to make sure an app doesn't disappear
when your user signs out of Azure Virtual Desktop, you have to provision that app for all
user profiles in your environment. For more information about provisioning apps, check
out these resources:

Publish built-in apps in Azure Virtual Desktop

 DISM app package servicing command-line options
Add-AppxProvisionedPackage

How do I make sure users don't

download and install apps from the
Microsoft Store?
You can disable the Microsoft Store app to make sure users don't download extra apps
beyond the apps you've already provisioned for them.

To disable the Store app:

1. Create and edit a new Group Policy Object.

2. Select Computer Configuration > Policies > Administrative Templates >
Windows Components > Store.
3. Open the Turn off the Store Application setting.
4. Select the Enabled option.
5. Click the Apply button.
6. Click the OK button.

Can Windows Enterprise multi-session

and 11 Enterprise multi-session receive
feature updates through Windows
Server Update Services (WSUS)?
Yes. You can update Windows Enterprise multi-session and Windows 11 Enterprise
multi-session with the appropriate feature updates published to WSUS. The underlying
VM must meet the hardware requirements for Windows 11.

Next steps
To learn more about Azure Virtual Desktop and Windows Enterprise multi-session:

Read our Azure Virtual Desktop documentation

Visit our Azure Virtual Desktop TechCommunity
Set up your Azure Virtual Desktop deployment with the Azure Virtual Desktop
tutorials
Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Fair Share technologies are enabled by
default in Remote Desktop Services
Article • 11/01/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016

This article describes how a Remote Desktop Session Host (RDSH) server, Windows 10
Enterprise multi-session, Windows 11 Enterprise multi-session, and Windows Server use
Fair Share technologies to balance CPU, disk, and network bandwidth resources among
multiple Remote Desktop sessions.

_ Original KB number: 4494631

Introduction
Remote Desktop Services (RDS) server, Windows 10 Enterprise multi-session and
Windows 11 Enterprise multi-session use Fair Share technologies for CPU resources to
manage resources. RDS builds on the Fair Share technologies to add features for
allocating network bandwidth and disk resources. Fair Share CPU Scheduling is enabled
by default, while Dynamic Disk Fair Share and Dynamic Network Fair Share are disabled.
You can change the defaults by using PowerShell and WMI.

For more information about the related properties in WMI, see

Win32_TerminalServiceSetting class: Properties.

７ Note

Before turning on Dynamic Disk Fair Share or Dynamic Network Fair Share, it's
recommended to review performance on applications that require exchanging
larger amounts of data.

Fair Share CPU Scheduling

Fair Share CPU Scheduling dynamically distributes processor time across all RDS and
Azure Virtual Desktop (AVD) multi-session sessions on the same Session Host server,
based on the number of sessions and the demand for processor time within each
session. This process creates a consistent user experience across all of the active
sessions, while sessions are being created and deleted dynamically. This feature builds
on the Dynamic Fair Share Scheduling technology (DFSS) that was part of Windows
Server.

Dynamic Disk Fair Share

When disk-intensive processes run in one or more sessions, they can starve non-disk
intensive processes and prevent them from ever accessing disk resources. To fix this
issue, the Dynamic Disk Fair Share feature balances disk access among the different
sessions by balancing disk IO and throttling excess disk usage.

Dynamic Network Fair Share

When bandwidth-intensive applications run in one or more sessions, they can starve
applications in other sessions of bandwidth. To equalize network consumption among
the sessions, the Network Fair Share feature uses a round-robin approach to allocate
bandwidth for each session.

In a centralized computing scenario, the Dynamic Network Fair Share feature tries to
fairly distribute network interface bandwidth load among the sessions.

Feedback
Was this page helpful?  Yes  No
User profile management for Azure
Virtual Desktop with FSLogix profile
containers
Article • 08/22/2024

A user profile contains data elements about an individual, including configuration

information like desktop settings, persistent network connections, and application
settings. By default, Windows creates a local user profile that is tightly integrated with
the operating system.

A remote user profile provides a partition between user data and the operating system.
It allows the operating system to be replaced or changed without affecting the user
data. With a VDI solution, such as Azure Virtual Desktop, the operating system may be
replaced for the following reasons:

An upgrade of the operating system.

A replacement of an existing session host.
A user is assigned to a pooled host pool where they might connect to a different
session host each time they sign in.

We recommend using FSLogix profile containers with Azure Virtual Desktop to manage
and roam user profiles and personalization. FSLogix profile containers store a complete
user profile in a single container. At sign in, this container is dynamically attached to the
remote session as a natively supported Virtual Hard Disk (VHDX or VHD) file. The user
profile is immediately available and appears in the system exactly like a native user
profile. This article describes how FSLogix profile containers work with Azure Virtual
Desktop.

７ Note

If you're looking for comparison material about the different FSLogix Profile
Container storage options on Azure, see Storage options for FSLogix profile
containers.

FSLogix profile containers

Existing and legacy Microsoft solutions for user profiles came with various challenges.
No previous solution handled all the user profile needs of a VDI environment.
FSLogix profile containers address many user profile challenges. Key among them are:

Performance: The FSLogix profile containers are high performance and resolve
performance issues that have historically blocked cached exchange mode.

OneDrive: Without FSLogix profile containers, OneDrive is not supported in non-

persistent VDI environments.

Additional folders: FSLogix profile containers provides the ability to extend user
profiles to include additional folders.

Best practices for Azure Virtual Desktop

Azure Virtual Desktop offers full control over size, type, and count of VMs that are being
used by customers. For more information, see What is Azure Virtual Desktop?.

To ensure your Azure Virtual Desktop environment follows best practices:

We recommend you use Azure Files or Azure NetApp Files to store profile
containers. To compare the different FSLogix Profile Container storage options on
Azure, see Storage options for FSLogix profile containers.

The storage account must be in the same region as the session host VMs.

Azure Files permissions should match permissions described in Configure SMB

Storage Permissions for FSLogix.

Azure Files has limits on the number of open handles per root directory,
directory, and file. For more information on the limits and sizing guidance, see
Azure Files scalability and performance targets and Azure Files sizing guidance
for Azure Virtual Desktop.

Each host pool VM must be built of the same type and size VM based on the same
master image.

Each host pool VM must be in the same resource group to aid management,
scaling and updating.

For optimal performance, the storage solution and the FSLogix profile container
should be in the same data center location.

The storage account containing the master image must be in the same region and
subscription where the VMs are being provisioned.
Next steps
Learn more about storage options for FSLogix profile containers, see Storage
options for FSLogix profile containers in Azure Virtual Desktop.
Set up FSLogix Profile Container with Azure Files and Active Directory
Set up FSLogix Profile Container with Azure Files and Microsoft Entra ID
Set up FSLogix Profile Container with Azure NetApp Files

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Storage options for FSLogix profile
containers in Azure Virtual Desktop
Article • 03/12/2023

Azure offers multiple storage solutions that you can use to store your FSLogix profile
container. This article compares storage solutions that Azure offers for Azure Virtual
Desktop FSLogix user profile containers. We recommend storing FSLogix profile
containers on Azure Files for most of our customers.

Azure Virtual Desktop offers FSLogix profile containers as the recommended user profile
solution. FSLogix is designed to roam profiles in remote computing environments, such
as Azure Virtual Desktop. At sign-in, this container is dynamically attached to the
computing environment using a natively supported Virtual Hard Disk (VHD) and a
Hyper-V Virtual Hard Disk (VHDX). The user profile is immediately available and appears
in the system exactly like a native user profile.

The following tables compare the storage solutions Azure Storage offers for Azure
Virtual Desktop FSLogix profile container user profiles.

Azure platform details

Features Azure Files Azure NetApp Files Storage Spaces
Direct

Use case General purpose General purpose to enterprise scale Cross-platform

Platform Yes, Azure-native Yes, Azure-native solution No, self-managed

service solution

Regional All regions Select regions All regions

availability

Redundancy Locally Locally redundant/zone-redundant with Locally

redundant/zone- cross-zone replication/geo-redundant redundant/zone-
redundant/geo- with cross-region replication redundant/geo-
redundant/geo- redundant
zone-redundant
Features Azure Files Azure NetApp Files Storage Spaces
Direct

Tiers and Standard Standard Standard HDD: up

performance (Transaction Premium to 500 IOPS per-
optimized) Ultra disk limits
Premium Up to max 460K IOPS per volume with Standard SSD: up
Up to max 100K 4.5 GBps per volume at about 1 ms to 4k IOPS per-
IOPS per share latency. For IOPS and performance disk limits
with 10 GBps per details, see Azure NetApp Files Premium SSD: up
share at about 3- performance considerations and the to 20k IOPS per-
ms latency FAQ. disk limits
We recommend
Premium disks for
Storage Spaces
Direct

Capacity 100 TiB per 100 TiB per volume, up to 12.5 PiB per Maximum 32 TiB
share, Up to 5 NetApp account per disk
PiB per general
purpose account

Required Minimum share Minimum capacity pool 2 TiB, min Two VMs on Azure
infrastructure size 1 GiB volume size 100 GiB IaaS (+ Cloud
Witness) or at least
three VMs without
and costs for disks

Protocols SMB 3.0/2.1, NFSv3, NFSv4.1, SMB 3.x/2.x, dual- NFSv3, NFSv4.1,
NFSv4.1 protocol SMB 3.1
(preview), REST

Azure management details

Features Azure Files Azure NetApp Files Storage Spaces Direct

Access Cloud, on-premises and Cloud, on-premises Cloud, on-premises

hybrid (Azure file sync)

Backup Azure backup snapshot Azure NetApp Files Azure backup snapshot
integration snapshots integration
Azure NetApp Files
backup

Security All Azure supported Azure supported All Azure supported

and certificates certificates certificates
compliance
 Features Azure Files Azure NetApp Files Storage Spaces Direct

Azure Native Active Directory Azure Active Directory Native Active Directory or
Active and Azure Active Domain Services and Azure Active Directory
Directory Directory Domain Native Active Directory Domain Services support
integration Services only

Once you've chosen your storage method, check out Azure Virtual Desktop pricing for
information about our pricing plans.

Azure Files tiers

Azure Files offers two different tiers of storage: premium and standard. These tiers let
you tailor the performance and cost of your file shares to meet your scenario's
requirements.

Premium file shares are backed by solid-state drives (SSDs) and are deployed in
the FileStorage storage account type. Premium file shares provide consistent high
performance and low latency for input and output (IO) intensive workloads.
Premium file shares use a provisioned billing model, where you pay for the amount
of storage you would like your file share to have, regardless of how much you use.

Standard file shares are backed by hard disk drives (HDDs) and are deployed in the
general purpose version 2 (GPv2) storage account type. Standard file shares
provide reliable performance for IO workloads that are less sensitive to
performance variability, such as general-purpose file shares and dev/test
environments. Standard file shares use a pay-as-you-go billing model, where you
pay based on storage usage, including data stored and transactions.

To learn more about how billing works in Azure Files, see Understand Azure Files billing.

The following table lists our recommendations for which performance tier to use based
on your workload. These recommendations will help you select the performance tier
that meets your performance targets, budget, and regional considerations. We've based
these recommendations on the example scenarios from Remote Desktop workload
types.

Workload type Recommended file tier

Light (fewer than 200 users) Standard file shares

Light (more than 200 users) Premium file shares or standard with multiple file shares

Medium Premium file shares

 Workload type Recommended file tier

Heavy Premium file shares

Power Premium file shares

For more information about Azure Files performance, see File share and file scale
targets. For more information about pricing, see Azure Files pricing .

Azure NetApp Files tiers

Azure NetApp Files volumes are organized in capacity pools. Volume performance is
defined by the service level of the hosting capacity pool. Three performance levels are
offered, ultra, premium and standard. For more information, see Storage hierarchy of
Azure NetApp Files. Azure NetApp Files performance is a function of tier times capacity.
More provisioned capacity leads to higher performance budget, which likely results in a
lower tier requirement, providing a more optimal TCO.

The following table lists our recommendations for which performance tier to use based
on workload defaults.

Workload Example Users Azure NetApp Files

Light Users doing basic data entry tasks Standard tier

Medium Consultants and market researchers Premium tier: small-medium

user count
Standard tier: large user count

Heavy Software engineers, content creators Premium tier: small-medium

user count
Standard tier: large user count

Power Graphic designers, 3D model makers, machines Ultra tier: small user count
learning researchers Premium tier: medium user
count
Standard tier: large user count

In order to provision the optimal tier and volume size, consider using this calculator
for guidance.

Next steps
To learn more about FSLogix profile containers, user profile disks, and other user profile
technologies, see the table in FSLogix profile containers and Azure Files.
If you're ready to create your own FSLogix profile containers, get started with one of
these tutorials:

Set up FSLogix Profile Container with Azure Files and Active Directory
Set up FSLogix Profile Container with Azure NetApp Files
Store FSLogix profile containers on
Azure Files and Microsoft Entra ID
Article • 10/18/2024

In this article, you'll learn how to create and configure an Azure Files share for Microsoft
Entra Kerberos authentication. This configuration allows you to store FSLogix profiles
that can be accessed by hybrid user identities from Microsoft Entra joined or Microsoft
Entra hybrid joined session hosts without requiring network line-of-sight to domain
controllers. Microsoft Entra Kerberos enables Microsoft Entra ID to issue the necessary
Kerberos tickets to access the file share with the industry-standard SMB protocol.

This feature is supported in the Azure cloud, Azure for US Government, and Azure
operated by 21Vianet.

Prerequisites
Before deploying this solution, verify that your environment meets the requirements to
configure Azure Files with Microsoft Entra Kerberos authentication.

When used for FSLogix profiles in Azure Virtual Desktop, the session hosts don't need to
have network line-of-sight to the domain controller (DC). However, a system with
network line-of-sight to the DC is required to configure the permissions on the Azure
Files share.

Configure your Azure storage account and file

share
To store your FSLogix profiles on an Azure file share:

1. Create an Azure Storage account if you don't already have one.

７ Note

Your Azure Storage account can't authenticate with both Microsoft Entra ID
and a second method like Active Directory Domain Services (AD DS) or
Microsoft Entra Domain Services. You can only use one authentication
method.
 2. Create an Azure Files share under your storage account to store your FSLogix
profiles if you haven't already.

3. Enable Microsoft Entra Kerberos authentication on Azure Files to enable access

from Microsoft Entra joined VMs.

When configuring the directory and file-level permissions, review the

recommended list of permissions for FSLogix profiles at Configure the
storage permissions for profile containers.
Without proper directory-level permissions in place, a user can delete the
user profile or access the personal information of a different user. It's
important to make sure users have proper permissions to prevent accidental
deletion from happening.

Configure your local Windows device

To access Azure file shares from a Microsoft Entra joined VM for FSLogix profiles, you
must configure the local Windows device your FSLogix profiles are being loaded onto.
To configure your device:

1. Enable the Microsoft Entra Kerberos functionality using one of the following
methods.

Configure this Intune Policy CSP and apply it to the session host:
Kerberos/CloudKerberosTicketRetrievalEnabled.

７ Note

Windows multi-session client operating systems don't support Policy CSP as

they only support the settings catalog, so you'll need to use one of the other
methods. Learn more at Using Azure Virtual Desktop multi-session with
Intune.

Enable this Group policy on your device. The path will be one of the
following, depending on the version of Windows you use:

Administrative Templates\System\Kerberos\Allow retrieving the cloud

kerberos ticket during the logon

Administrative Templates\System\Kerberos\Allow retrieving the Azure AD

Kerberos Ticket Granting Ticket during logon

 Create the following registry value on your device: reg add
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v

CloudKerberosTicketRetrievalEnabled /t REG_DWORD /d 1

2. When you use Microsoft Entra ID with a roaming profile solution like FSLogix, the
credential keys in Credential Manager must belong to the profile that's currently
loading. This lets you load your profile on many different VMs instead of being
limited to just one. To enable this setting, create a new registry value by running
the following command:

reg add HKLM\Software\Policies\Microsoft\AzureADAccount /v

LoadCredKeyFromProfile /t REG_DWORD /d 1

７ Note

The session hosts don't need network line-of-sight to the domain controller.

Configure FSLogix on your local Windows device

This section shows you how to configure your local Windows device with FSLogix. You'll
need to follow these instructions every time you configure a device. There are several
options available that ensure the registry keys are set on all session hosts. You can set
these options in an image or configure a group policy.

To configure FSLogix:

1. Update or install FSLogix on your device, if needed.

７ Note

If you're configuring a session host created using the Azure Virtual Desktop
service, FSLogix should already be pre-installed.

2. Follow the instructions in Configure profile container registry settings to create the
Enabled and VHDLocations registry values. Set the value of VHDLocations to \\
<Storage-account-name>.file.core.windows.net\<file-share-name> .

Test your deployment

Once you've installed and configured FSLogix, you can test your deployment by signing
in with a user account that's been assigned to an application group on the host pool.
The user account you sign in with must have permission to use the file share.

If the user has signed in before, they'll have an existing local profile that the service will
use during this session. To avoid creating a local profile, either create a new user
account to use for tests or use the configuration methods described in Tutorial:
Configure profile container to redirect user profiles to enable the
DeleteLocalProfileWhenVHDShouldApply setting.

Finally, verify the profile created in Azure Files after the user has successfully signed in:

1. Open the Azure portal and sign in with an administrative account.

2. From the sidebar, select Storage accounts.

3. Select the storage account you configured for your session host pool.

4. From the sidebar, select File shares.

5. Select the file share you configured to store the profiles.

6. If everything's set up correctly, you should see a directory with a name that's
formatted like this: <user SID>_<username> .

Next steps
To troubleshoot FSLogix, see this troubleshooting guide.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Store FSLogix profile containers on
Azure Files and Active Directory Domain
Services or Microsoft Entra Domain
Services
Article • 10/18/2024

This article shows you how to set up a FSLogix profile container with Azure Files when
your session host virtual machines (VMs) are joined to an Active Directory Domain
Services (AD DS) domain or Microsoft Entra Domain Services managed domain.

Prerequisites
To configure a profile container, you need the following:

A host pool where the session hosts are joined to an AD DS domain or Microsoft
Entra Domain Services managed domain and users are assigned.
A security group in your domain that contains the users who will use the profile
container. If you're using AD DS, this must be synchronized to Microsoft Entra ID.
Permission on your Azure subscription to create a storage account and add role
assignments.
A domain account to join computers to the domain and open an elevated
PowerShell prompt.
The subscription ID of your Azure subscription where your storage account will be.
A computer joined to your domain for installing and running PowerShell modules
that will join a storage account to your domain. This device needs to be running a
Supported version of Windows. Alternatively, you can use a session host.

） Important

If users have previously signed in to the session hosts you want to use, local
profiles will have been created for them and must be deleted first by an
administrator for their profile to be stored in a profile container.

Set up a storage account for a profile container

To set up a storage account:
 1. Create an Azure Storage account if you don't already have one.

 Tip

Your organization may have requirements to change these defaults:

Whether you should select Premium depends on your IOPS and latency
requirements. For more information, see Container storage options.
On the Advanced tab, Enable storage account key access must be left
enabled.
For more information on the remaining configuration options, see Plan
for an Azure Files deployment.

2. Create an Azure Files share under your storage account to store your FSLogix
profiles if you haven't already.

Join your storage account to Active Directory

To use Active Directory accounts for the share permissions of your file share, you need
to enable AD DS or Microsoft Entra Domain Services as a source. This process joins your
storage account to a domain, representing it as a computer account. Select the relevant
tab below for your scenario and follow the steps.

AD DS

1. Sign in to a computer that is joined to your AD DS domain. Alternatively, sign

in to one of your session hosts.

2. Download and extract the latest version of AzFilesHybrid from the Azure
Files samples GitHub repo. Make a note of the folder you extract the files to.

3. Open an elevated PowerShell prompt and change to the directory where you
extracted the files.

4. Run the following command to add the AzFilesHybrid module to your user's
PowerShell modules directory:

PowerShell

.\CopyToPSPath.ps1
5. Import the AzFilesHybrid module by running the following command:

PowerShell

Import-Module -Name AzFilesHybrid

） Important

This module requires the PowerShell Gallery and Azure PowerShell. You
may be prompted to install these if they are not already installed or they
need updating. If you are prompted for these, install them, then close all
instances of PowerShell. Re-open an elevated PowerShell prompt and
import the AzFilesHybrid module again before continuing.

6. Sign in to Azure by running the command below. You'll need to use an

account that has one of the following role-based access control (RBAC) roles:

Storage account owner

Owner
Contributor

PowerShell

Connect-AzAccount

 Tip

If your Azure account has access to multiple tenants and/or subscriptions,

you will need to select the correct subscription by setting your context.
For more information, see Azure PowerShell context objects

7. Join the storage account to your domain by running the commands below,
replacing the values for $subscriptionId , $resourceGroupName , and
$storageAccountName with your values. You can also add the parameter -

OrganizationalUnitDistinguishedName to specify an Organizational Unit (OU) in

which to place the computer account.

PowerShell

$subscriptionId = "subscription-id"
$resourceGroupName = "resource-group-name"
 $storageAccountName = "storage-account-name"

Join-AzStorageAccount `
-ResourceGroupName $ResourceGroupName `
-StorageAccountName $StorageAccountName `
-DomainAccountType "ComputerAccount"

8. To verify the storage account is joined to your domain, run the commands
below and review the output, replacing the values for $resourceGroupName and
$storageAccountName with your values:

PowerShell

$resourceGroupName = "resource-group-name"
$storageAccountName = "storage-account-name"

(Get-AzStorageAccount -ResourceGroupName $resourceGroupName -Name

$storageAccountName).AzureFilesIdentityBasedAuth.DirectoryServiceOp
tions; (Get-AzStorageAccount -ResourceGroupName $resourceGroupName
-Name
$storageAccountName).AzureFilesIdentityBasedAuth.ActiveDirectoryPro
perties

） Important

If your domain enforces password expiration, you must update the password
before it expires to prevent authentication failures when accessing Azure file
shares. For more information, see Update the password of your storage
account identity in AD DS for details.

Assign RBAC role to users

Users needing to store profiles in your file share need permission to access it. To do this,
you need to assign each user the Storage File Data SMB Share Contributor role.

To assign users the role:

1. From the Azure portal, browse to the storage account, then to the file share you
created previously.

2. Select Access control (IAM).

3. Select + Add, then select Add role assignment from the drop-down menu.
 4. Select the role Storage File Data SMB Share Contributor and select Next.

5. On the Members tab, select User, group, or service principal, then select +Select
members. In the search bar, search for and select the security group that contains
the users who will use the profile container.

6. Select Review + assign to complete the assignment.

Set NTFS permissions

Next, you'll need to set NTFS permissions on the folder, which requires you to get the
access key for your Storage account.

To get the Storage account access key:

1. From the Azure portal, search for and select storage account in the search bar.

2. From the list of storage accounts, select the account that you enabled Active
Directory Domain Services or Microsoft Entra Domain Services as the identity
source and assigned the RBAC role for in the previous sections.

3. Under Security + networking, select Access keys, then show and copy the key
from key1.

To set the correct NTFS permissions on the folder:

1. Sign in to a session host that is part of your host pool.

2. Open an elevated PowerShell prompt and run the command below to map the
storage account as a drive on your session host. The mapped drive won't show in
File Explorer, but can be viewed with the net use command. This is so you can set
permissions on the share.

Windows Command Prompt

net use <desired-drive-letter>: \\<storage-account-

name>.file.core.windows.net\<share-name> <storage-account-key>
/user:Azure\<storage-account-name>

Replace <desired-drive-letter> with a drive letter of your choice (for

example, y: ).
Replace both instances of <storage-account-name> with the name of the
storage account you specified earlier.
Replace <share-name> with the name of the share you created earlier.
 Replace <storage-account-key> with the storage account key from Azure.

For example:

Windows Command Prompt

net use y: \\fsprofile.file.core.windows.net\share

HDZQRoFP2BBmoYQ(truncated)== /user:Azure\fsprofile

3. Run the following commands to set permissions on the share that allow your
Azure Virtual Desktop users to create their own profile while blocking access to the
profiles of other users. You should use an Active Directory security group that
contains the users you want to use the profile container. In the commands below,
replace <mounted-drive-letter> with the letter of the drive you used to map the
drive and <DOMAIN\GroupName> with the domain and sAMAccountName of the
Active Directory group that will require access to the share. You can also specify
the user principal name (UPN) of a user.

Windows Command Prompt

icacls <mounted-drive-letter>: /grant "<DOMAIN\GroupName>:(M)"

icacls <mounted-drive-letter>: /grant "Creator Owner:(OI)(CI)(IO)(M)"
icacls <mounted-drive-letter>: /remove "Authenticated Users"
icacls <mounted-drive-letter>: /remove "Builtin\Users"

For example:

Windows Command Prompt

icacls y: /grant "CONTOSO\AVDUsers:(M)"

icacls y: /grant "Creator Owner:(OI)(CI)(IO)(M)"
icacls y: /remove "Authenticated Users"
icacls y: /remove "Builtin\Users"

Configure your local Windows device to use

profile containers
In order to use profile containers, you'll need to make sure FSLogix Apps is installed on
your device. If you're configuring Azure Virtual Desktop, FSLogix Apps is preinstalled in
Windows 10 Enterprise multi-session and Windows 11 Enterprise multi-session
operating systems, but you should still follow the steps below as it might not have the
latest version installed. If you're using a custom image, you can install FSLogix Apps in
your image.

To configure profile containers, we recommend you use Group Policy Preferences to set
registry keys and values at scale across all your session hosts. You can also set these in
your custom image.

To configure your local Windows device:

1. If you need to install or update FSLogix Apps, download the latest version of
FSLogix and install it by running FSLogixAppsSetup.exe , then following the
instructions in the setup wizard. For more details about the installation process,
including customizations and unattended installation, see Download and Install
FSLogix.

2. Open an elevated PowerShell prompt and run the following commands, replacing
\\<storage-account-name>.file.core.windows.net\<share-name> with the UNC path

to your storage account you created earlier. These commands enable the profile
container and configure the location of the share.

PowerShell

$regPath = "HKLM:\SOFTWARE\FSLogix\profiles"
New-ItemProperty -Path $regPath -Name Enabled -PropertyType DWORD -
Value 1 -Force
New-ItemProperty -Path $regPath -Name VHDLocations -PropertyType
MultiString -Value \\<storage-account-name>.file.core.windows.net\
<share-name> -Force

3. Restart your device. You'll need to repeat these steps for any remaining devices.

You have now finished the setting up your profile container. If you're installing the
profile container in your custom image, you'll need to finish creating the custom image.
For more information, follow the steps in Create a custom image in Azure from the
section Take the final snapshot onwards.

Validate profile creation

Once you've installed and configured the profile container, you can test your
deployment by signing in with a user account that's been assigned an application group
or desktop on the host pool.

If the user has signed in before, they'll have an existing local profile that they'll use
during this session. Either delete the local profile first, or create a new user account to
use for tests.

Users can check that the profile container is set up by following the steps below:

1. Sign in to Azure Virtual Desktop as the test user.

2. When the user signs in, the message "Please wait for the FSLogix Apps Services"
should appear as part of the sign-in process, before reaching the desktop.

Administrators can check the profile folder has been created by following the steps
below:

1. Open the Azure portal.

2. Open the storage account you created in previously.

3. Go to Data storage in your storage account, then select File shares.

4. Open your file share and make sure the user profile folder you've created is in
there.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Store FSLogix profile containers on
Azure NetApp Files
Article • 10/18/2024

FSLogix profile containers store a complete user profile in a single container and are
designed to roam profiles in non-persistent remote computing environments like Azure
Virtual Desktop. When you sign in, the container dynamically attaches to the computing
environment using a locally supported virtual hard disk (VHD) and Hyper-V virtual hard
disk (VHDX). These advanced filter-driver technologies allow the user profile to be
immediately available and appear in the system exactly like a local user profile. To learn
more about FSLogix profile containers, see User profile management with FSLogix
profile containers.

You can create FSLogix profile containers using Azure NetApp Files , an easy-to-use
Azure native platform service that helps customers quickly and reliably provision
enterprise-grade SMB volumes for their Azure Virtual Desktop environments. To learn
more about Azure NetApp Files, see What is Azure NetApp Files?.

７ Note

This article doesn't cover best practices for securing access to the Azure NetApp
Files share.

７ Note

If you're looking for comparison material about the different FSLogix Profile
Container storage options on Azure, see Storage options for FSLogix profile
containers.

Considerations
To optimize performance and scalability, the number of concurrent users accessing
FSLogix profile containers stored on a single Azure NetApp Files regular volume
should be limited to 3,000. Having more than 3,000 concurrent users on a single
volume causes significant increased latency on the volume. If your scenario
requires more than 3,000 concurrent users, divide users across multiple regular
volumes or use a large volume. A single large volume can store FSLogix profiles for
 up to 50,000 concurrent users. For more information on large volumes, see
Requirements and considerations for large volumes.

FSLogix profile containers on Azure NetApp Files can be accessed by users

authenticating from Active Directory Domain Services (AD DS) and from hybrid
identities, allowing Microsoft Entra users to access profile containers without
requiring line-of-sight to domain controllers from Microsoft Entra hybrid joined
and Microsoft Entra joined virtual machines (VMs). For more information, see
Access SMB volumes from Microsoft Entra joined Windows VMs.

To protect your FSLogix profile containers, consider using Azure NetApp Files
snapshots and Azure NetApp Files backup.

Prerequisites
Before you can configure an FSLogix profile container with Azure NetApp Files, you
must have:

An Azure account with contributor or administrator permissions.

Set up your Azure NetApp Files account

To get started, you need to create and set up an Azure NetApp Files account.

1. To create a NetApp account, see Create a NetApp account.

2. You need to create a new capacity pool. See Create a capacity pool for Azure
NetApp Files.

3. You then need to join an Active Directory connection. See Create and manage
Active Directory connections for Azure NetApp Files.

4. Create a new SMB volume. Follow the steps in Create an SMB volume for Azure
NetApp Files.

７ Note

It's recommended that you enable Continuous Availability on the SMB volume
for use with FSLogix profile containers, so select Enable Continuous
Availability. For more information, see Enable Continuous Availability on
existing SMB volumes.
Configure permissions
When configuring the directory and file-level permissions, review the recommended list
of permissions for FSLogix profiles at Configure the storage permissions for profile
containers.

Without proper directory-level permissions in place, a user can delete the user profile or
access the personal information of a different user. It's important to make sure users
have proper permissions to prevent accidental deletion from happening.

Configure FSLogix on your local Windows

device
To configure FSLogix on your local Windows device:

1. Follow the steps in Install FSLogix Applications. If configuring FSLogix in a host

pool, download the file while you're still remoted in the session host VM.

2. To configure your profile container, see Configure profile containers.

７ Note

When adding the VHDLocations registry key, set the data type to Multi-
String and set its data value to the URI for the Azure NetApp Files share.
Be careful when creating the DeleteLocalProfileWhenVHDShouldApply
value. When the FSLogix Profiles system determines a user should have
an FSLogix profile, but a local profile already exists, Profile Container will
permanently delete the local profile. The user will then be signed in with
the new FSLogix profile.

Make sure users can access the Azure NetApp

Files share
1. Sign in to the Azure portal with an administrative account.

2. Open Azure NetApp Files, select your Azure NetApp Files account, and then select
Volumes. Once the Volumes menu opens, select the corresponding volume.
 3. Go to the Overview tab and confirm that the FSLogix profile container is using
space.

4. Open the File Explorer, then navigate to the Mount path. Within this folder, there
should be a profile VHD (or VHDX).

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Tutorial: Configure profile containers
Article • 03/31/2023

 Tip

Using the profile container in a single container configuration is highly recommended.

FSLogix profile containers are a complete roaming profile solution for virtual environments.
The profile container (single container), redirects the entire Windows user profile into a VHD
stored on a storage provider. The most common storage provider is an SMB file share.

The profile container is inclusive of all the benefits and uses found in the ODFC container.

Learn how to
＂ Enable the product for profiles
＂ Specify the location for the containers
＂ Verify the container has been attached and working

Prerequisites
Successful deployment of a virtual desktop or Azure Virtual Desktop environment.
SMB file share with NTFS and share-level permissions correctly configured.
Download and install the latest version of FSLogix.
Review configuration options.

７ Note

This tutorial doesn't cover how to convert to / from single or dual containers.

Profile container configuration

７ Note

Includes all Microsoft 365 application data. No need for an ODFC container.

＂ Configuration example: Standard

1. Verify FSLogix installation and version.

2. Sign in to the virtual machine as a local Administrator or an account with administrative
privileges.

3. Select Start and Type Registry Editor directly into the Start Menu.

4. Select Registry Editor from the Start Menu.

Figure 1: Registry Editor in Start Menu

5. Go to: HKEY_LOCAL_MACHINE\SOFTWARE\FSLogix\Profiles .

6. Add these settings:

ﾉ Expand table

Key Name Data Value Description

Type

Enabled DWORD 1 REQUIRED

DeleteLocalProfileWhenVHDShouldApply1 DWORD 1 Recommended

 Key Name Data Value Description
Type

FlipFlopProfileDirectoryName2 DWORD 1 Recommended

LockedRetryCount3 DWORD 3 Recommended

LockedRetryInterval3 DWORD 15 Recommended

ProfileType4 DWORD 0 Default

ReAttachIntervalSeconds3 DWORD 15 Recommended

ReAttachRetryCount3 DWORD 3 Recommended

SizeInMBs DWORD 30000 Default

VHDLocations MULTI_SZ \\<storage-account- Example

or name>.file.core.windows.net\
REG_SZ <share-name>

VolumeType5 REG_SZ VHDX Recommended

1 Recommended to ensure user's don't use local profiles and lose data unexpectedly.

2 Provides and easier way to browse the container directories.

3 Decreases the retry timing to enable a faster fail scenario.

4 Single connections reduce complexity and increase performance.

5 VHDX is preferred over VHD due to its supported size and reduced corruption scenarios.

Figure 2: Registry for profiles configuration

Verify your profile container configuration

1. Sign in as a standard user.

2. Select Start and Type command prompt directly into the Start Menu.
3. Select Command Prompt from the Start Menu.

Figure 3: Command prompt

4. Change directory to C:\Program Files\FSLogix\Apps .

5. Type frx list-redirects .

Figure 4: frx list-redirects output

6. Select Start.

7. Select File Explorer.

 8. Type the full path from VHDLocations in the previous section.

9. Double-click the folder for the standard user.

%username%-%sid%

10. Locate the newly created VHDX container.

Figure 5: Profile container in configured VHDLocations

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Publish applications with RemoteApp in
Azure Virtual Desktop
Article • 08/22/2024

There are two ways to make applications available to users in Azure Virtual Desktop: as
part of a full desktop or as individual applications with RemoteApp. You publish
applications by adding them to an application group, which is associated with a host
pool and workspace, and assigned to users. For more information about application
groups, see Terminology.

You publish applications in the following scenarios:

For RemoteApp application groups, you publish applications to stream remotely

that are installed locally on session hosts or delivered dynamically using app attach
and MSIX app attach and presented to users as individual applications in one of the
supported Remote Desktop clients.

For desktop application groups, you can only publish a full desktop and all
applications in MSIX packages using MSIX app attach to appear in the user's start
menu in a desktop session. If you use app attach, applications aren't added to a
desktop application group.

This article shows you how to publish applications that are installed locally with
RemoteApp using the Azure portal and Azure PowerShell. You can't publish applications
using Azure CLI.

Prerequisites
Azure portal

In order to publish an application to a RemoteApp application group, you need the

following things:

An Azure account with an active subscription.

An existing host pool with session hosts, a RemoteApp application group, and
a workspace.

At least one session host is powered on in the host pool the application group
is assigned to.
 The applications you want to publish are installed on the session hosts in the
host pool the application group is assigned to. If you're using app attach, you
must add and assign an MSIX, Appx, or App-V package to your host pool
before you start. For more information, see Add and manage app attach
applications.

As a minimum, the Azure account you use must have the Desktop
Virtualization Application Group Contributor built-in role-based access control
(RBAC) roles on the resource group, or on the subscription to create the
resources.

Add applications to a RemoteApp application

group
To add applications to a RemoteApp application group, select the relevant tab for your
scenario and follow the steps.

Azure portal

Here's how to add applications to a RemoteApp application group using the Azure
portal.

1. Sign in to the Azure portal .

2. In the search bar, type Azure Virtual Desktop and select the matching service
entry.

3. Select Application groups, then select the RemoteApp application group you
want to add an application to.

4. Select Applications, select + Add. Make sure you have at least one session
host powered on in the host pool the application group is assigned to.

5. On the Basics tab, from application source drop-down list, select App Attach,
Start menu, or File path. The remaining fields change depending on the
application source you select.

For App Attach, complete the following information. Your MSIX package
must already be added and assigned to your host pool.

ﾉ Expand table
 Parameter Value/Description

Package Select a package available for the host pool from the drop-
down list. Regional packages are from app attach and host pool
packages are from MSIX app attach.

Application Select an application from the drop-down list.

Application Enter a unique identifier for the application.

identifier

Display name Enter a friendly name for the application that is to users.

Description Enter a description for the application.

For Start menu, complete the following information:

ﾉ Expand table

Parameter Value/Description

Application Select an application from the drop-down list.

Display name Enter a friendly name for the application that is to users.

Description Enter a description for the application.

Application Review the file path to the .exe file for the application and
path change it if necessary.

Require Select if you need to add a specific command to run when the
command line application launches. If you select Yes, enter the command in
the Command line field.

For File path, complete the following information:

ﾉ Expand table

Parameter Value/Description

Application Enter the file path to the .exe file for the application.
path

Application Enter a unique identifier for the application.

identifier

Display name Enter a friendly name for the application that is displayed to
users.

Description Enter a description for the application.

 Parameter Value/Description

Require Select if you need to add a specific command to run when the
command line application launches. If you select Yes, enter the command in
the Command line field.

Once you've completed this tab, select Next.

6. On the Icon tab, the options you see depend on the application source you
selected on the Basics tab. With app attach you can use a UNC path, but for
Start Menu and File path you can only use a local path.

If you selected App Attach, select Default to use the default icon for the
application, or select File path to use a custom icon.

For File path, select one of the following options:

Browse Azure Files to use an icon from an Azure file share. Select
Select a storage account and select the storage account containing
your icon file, then select Select icon file. Browse to the file share and
directory your icon is in, check the box next to the icon you want to
add, for example MyApp.ico , then select Select. You can also use a
.png file. For Icon index, specify the index number for the icon you

want to use. This is usually 0.

UNC file path to use an icon from a file share. For Icon path, enter the
UNC path to your icon file, for example \\MyFileShare\MyApp.ico . You
can also use a .png file. For Icon index, specify the index number for
the icon you want to use. This is usually 0.

If you selected Start menu or File path, for Icon path, enter a local path
to the .exe file or your icon file, for example C:\Program
Files\MyApp\MyApp.exe . For Icon index, specify the index number for the
icon you want to use. This is usually 0.

Once you've completed this tab, select Review + add.

7. On the Review + add tab, ensure validation passes and review the information
that is used to add the application, then select Add to add the application to
the RemoteApp application group.

Assign applications to users

Applications aren't assigned individually to users unless you're using app attach. Instead,
users are assigned to application groups. When a user is assigned to an application
group, they can access all the applications in that group. To learn how to assign users to
application groups, see Assign users to an application group or Add and manage app
attach applications.

Publish Microsoft Store applications

Applications in the Microsoft Store are updated frequently and often install
automatically. The directory path for an application installed from the Microsoft Store
includes the version number, which changes each time an application is updated. If an
update happens automatically, the path changes and the application is no longer
available to users. You can publish applications using the Windows shell:appsFolder
location as the path in the format shell:AppsFolder\<PackageFamilyName>!<AppId> , which
doesn't use the .exe file or the directory path with the version number. This method
ensures that the application location is always correct.

Using shell:appsFolder means the application icon isn't picked up automatically from
the application. You should provide an icon file on a local drive on each session host in a
path that doesn't change, unlike the application installation directory.

Select the relevant tab for your scenario and follow the steps.

Azure portal

Here's how to publish a Microsoft Store application using the Windows user
interface and the Azure portal:

1. On your session host, open File Explorer and go to the path

shell:appsFolder .

2. Find the application in the list, right-click it, then select Create a shortcut.

3. For the shortcut prompt that appears, select Yes to place the shortcut on the
desktop.

4. View the properties of the shortcut and make a note of the Target value. This
value is the package family name and application ID you need to publish the
application.

5. Follow the steps in the section Add applications to a RemoteApp application

group for publishing an application based on File path. For the parameter
 Application path, use the value from the Target field of the shortcut you
created, then specify the icon path as your local icon file.

Publish Windows Sandbox

Windows Sandbox provides a lightweight desktop environment to safely run
applications in isolation. You can use Windows Sandbox with Azure Virtual Desktop in a
desktop or RemoteApp session.

Your session hosts need to use a virtual machine (VM) size that supports nested
virtualization. To check if a VM series supports nested virtualization, see Sizes for virtual
machines in Azure, go to the relevant article for the series of the VM, and check the list
of supported features.

1. To install Windows Sandbox on your session hosts, follow the steps in Windows
Sandbox overview. We recommend you install Windows Sandbox in a custom
image you can use when creating your session hosts.

2. Once you installed Windows Sandbox on your session hosts, it's available in a
desktop session. If you also want to publish it as a RemoteApp, follow the steps to
Add applications to a RemoteApp application group and use the file path
C:\Windows\System32\WindowsSandbox.exe .

Next steps
Learn how to Add and manage app attach applications.

Learn about how to customize the feed so resources appear in a recognizable way
for your users.

If you encounter issues with your applications running in Azure Virtual Desktop,
App Assure is a service from Microsoft designed to help you resolve them at no
extra cost. For more information, see App Assure.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Supported features for Microsoft Teams
on Azure Virtual Desktop
Article • 01/24/2024

This article lists the features of Microsoft Teams that Azure Virtual Desktop currently
supports and the minimum requirements to use each feature.

Supported features
The following table lists whether the Windows Desktop client, Azure Virtual Desktop
Store app or macOS client supports specific features for Teams on Azure Virtual
Desktop. Other clients aren't supported.

ﾉ Expand table

Feature Windows Desktop client and Azure macOS

Virtual Desktop app client

Application window sharing Yes No

Audio/video call Yes Yes

Background blur Yes Yes

Background images Yes Yes

Call health panel Yes Yes

Communication Access Real-time Yes Yes

Translation (CART) transcriptions

Configure audio devices Yes No

Configure camera devices Yes Yes

Diagnostic overlay Yes No

Dynamic e911 Yes Yes

Give and take control Yes Yes

Live captions Yes Yes

Live reactions Yes Yes

Manage breakout rooms Yes Yes

 Feature Windows Desktop client and Azure macOS
Virtual Desktop app client

Mirror my video Yes No

Multiwindow Yes Yes

Noise suppression Yes Yes

Screen share and video together Yes Yes

Screen share Yes Yes

Secondary ringer Yes Yes

Shared system audio Yes No

Simulcast Yes Yes

 Tip

You can find a more general list of Teams features that aren't supported on any VDI
platform in the documentation for Microsoft Teams at Features not supported in
VDI.

Version requirements
The following table lists the minimum required versions for each Teams feature. For
optimal user experience on Teams for Azure Virtual Desktop, we recommend using the
latest supported versions of each client along with the WebRTC Redirector Service
installed on your session hosts, which you can find in the following list:

Windows Desktop client

Azure Virtual Desktop app
macOS client
Teams WebRTC Redirector Service
Teams desktop app

ﾉ Expand table
Supported Windows Desktop macOS WebRTC Redirector Teams
features client and Azure client Service version version
Virtual Desktop version
Store app version

Application 1.2.3770 and later Not 1.31.2211.15001 Updates

window sharing supported within 90
days of the
current
version

Audio/video call 1.2.1755 and later 10.7.7 and 1.0.2006.11001 and later Updates
later within 90
days of the
current
version

Background 1.2.3004 and later 10.7.10 and 1.1.2110.16001 and later Updates
blur later within 90
days of the
current
version

Background 1.2.3004 and later 10.7.10 and 1.1.2110.16001 and later Updates
images later within 90
days of the
current
version

CART 1.2.2322 and later 10.7.7 and 1.0.2006.11001 and later Updates
transcriptions later within 90
days of the
current
version

Call health 1.2.1755 and later 10.7.7 and 1.0.2006.11001 and later Updates
panel later within 90
days of the
current
version

Configure audio 1.2.1755 and later Not 1.0.2006.11001 and later Updates
devices supported within 90
days of the
current
version

Configure 1.2.1755 and later 10.7.7 and 1.0.2006.11001 and later Updates
camera devices later within 90
days of the
Supported Windows Desktop macOS WebRTC Redirector Teams
features client and Azure client Service version version
Virtual Desktop version
Store app version

current
version

Diagnostic 1.2.3316 and later Not 1.17.2205.23001 and Updates

overlay supported later within 90
days of the
current
version

Dynamic e911 1.2.2600 and later 10.7.7 and 1.0.2006.11001 and later Updates
later within 90
days of the
current
version

Give and take 1.2.2924 and later 10.7.10 and 1.0.2006.11001 and later Updates
control later (Windows), within 90
1.31.2211.15001 and days of the
later (macOS) current
version

Live captions 1.2.2322 and later 10.7.7 and 1.0.2006.11001 and later Updates
later within 90
days of the
current
version

Live reactions 1.2.1755 and later 10.7.7 and 1.1.2110.16001 and later Updates
later within 90
days of the
current
version

Manage 1.2.1755 and later 10.7.7 and 1.0.2006.11001 and later Updates
breakout rooms later within 90
days of the
current
version

Mirror my video 1.2.3770 and later Not 1.0.2006.11001 and later Updates
supported within 90
days of the
current
version
 Supported Windows Desktop macOS WebRTC Redirector Teams
features client and Azure client Service version version
Virtual Desktop version
Store app version

Multiwindow 1.2.1755 and later 10.7.7 and 1.1.2110.16001 and later Updates
later within 90
days of the
current
version

Noise 1.2.3316 and later 10.8.1 and 1.0.2006.11001 and later Updates
suppression* later within 90
days of the
current
version

Screen share 1.2.1755 and later 10.7.7 and 1.0.2006.11001 and later Updates
and video later within 90
together days of the
current
version

Screen share 1.2.1755 and later 10.7.7 and 1.0.2006.11001 and later Updates
later within 90
days of the
current
version

Secondary 1.2.3004 and later 10.7.7 and 1.0.2006.11001 and later Updates
ringer later within 90
days of the
current
version

Shared system 1.2.4058 and later Not 1.0.2006.11001 and later Updates
audio supported within 90
days of the
current
version

Simulcast 1.2.3667 and later 10.8.1 and 1.0.2006.11001 and later Updates
later within 90
days of the
current
version

* When using Teams media optimizations, noise suppression is on by default, but

confirmation isn't shown in Teams client. This is by design.
Next steps
Learn more about how to set up Teams for Azure Virtual Desktop at Use Microsoft
Teams on Azure Virtual Desktop.

Learn about known issues, limitations, and how to log issues at Troubleshoot Teams on
Azure Virtual Desktop.

Learn about the latest version of the Remote Desktop WebRTC Redirector Service at
What's new in the Remote Desktop WebRTC Redirector Service.
Preferred application group type
behavior for pooled host pools in Azure
Virtual Desktop
Article • 06/11/2024

An application group is a logical grouping of applications that are available on session

hosts in a host pool. Application groups control whether a full desktop or which
applications from a host pool are available to users to connect to. An application group
can only be assigned to a single host pool, but you can assign multiple application
groups to the same host pool. Users can be assigned to multiple application groups
across multiple host pools, which enable you to vary the applications and desktops that
users can access.

When you create an application group, it can be one of two types:

Desktop: users access the full Windows desktop from a session host. Available with
pooled or personal host pools.

RemoteApp: users access individual applications you select and publish to the
application group. Available with pooled host pools only.

With pooled host pools, you can assign both application group types to the same host
pool at the same time. You can only assign a single desktop application group with a
host pool, but you can also assign multiple RemoteApp application groups to the same
host pool.

Users assigned to multiple RemoteApp application groups assigned to the same host
pool have access to an aggregate of all the applications in the application groups
they're assigned to.

To help prevent users from connecting to a desktop and RemoteApp application at the
same time from application groups assigned to the same host pool, pooled host pools
have the setting Preferred application group type. This setting determines whether
users have access to the full desktop or RemoteApp applications from this host pool in
Windows App or the Remote Desktop app, should they be assigned to an application
group of each type to the same host pool.

） Important
 Users who have access to both a desktop application group and RemoteApp
application group assigned to the same host pool only have access to the type of
applications from the application group determined by the preferred application
group type for the host pool. It doesn't prevent a user from having access to the
full desktop and RemoteApp applications from different host pools, or different
users from having access to different application group types from the same host
pool.

You must specify the preferred application group type for a host pool at the point of
creation. Additionally, when creating a host pool using the Azure portal there are two
default behaviors, which don't happen when creating a host pool using a different
method, such as Azure PowerShell or Azure CLI. These default behaviors are:

The default preferred application group type selected using the Azure portal is
Desktop. You can change this setting when you create the host pool or after the
host pool is created.

A desktop application group is automatically created and assigned to the host

pool, regardless of whether you select the preferred application group type as
Desktop or RemoteApp. The name of the application group is formed of the host
pool name with the suffix -DAG , for example hp01-DAG . You can remove this
application group after the host pool is created if you only want to use RemoteApp
applications. You can only have one desktop application group associated with a
host pool at a time.

Enforcing a preferred application group type

Previously, host pools could be created without a preferred application group type set.
In this scenario, a user who has access to both a desktop application group and
RemoteApp application group assigned to the same host pool has access to both sets of
resources in Windows App or the Remote Desktop app. If that user connects to a
desktop and a RemoteApp application from those application groups at the same time,
they can end up with two different sessions to the same host pool.

To prevent this scenario, set the preferred application group type for each host pool to
either Desktop or RemoteApp. To learn how to set the preferred application group type,
see Set the preferred application group type for a pooled host pool in Azure Virtual
Desktop.

For host pools that still don't have a preferred application group type set, where a user
has access to both a desktop application group and RemoteApp application group
assigned to the same host pool, Windows App or the Remote Desktop app now only
shows the desktop resource. The Desktop preferred application group type is enforced.
Windows App or the Remote Desktop app doesn't show the RemoteApp applications
from the RemoteApp application group.

） Important

The enforcement of the Desktop preferred application group type for host pools
that don't have a preferred application group type set is currently rolling out to all
Azure regions.

It's still possible to connect to both the desktop and RemoteApp applications from the
same host pool using the ms-avd:connect URI scheme regardless of the preferred
application group type, but we don't recommend this approach. If a user ends up with
two different sessions to the same host pool, it can cause a negative experience and
session performance for that user and other users, including:

Session hosts become overloaded

Users get stuck when trying to sign in
Connections to a remote session aren't successful
The remote session turns black
Applications crash

Expected behavior
Here's a matrix of the expected behavior for the resources users see in Windows App or
the Remote Desktop app based on the preferred application group type setting of a
host pool, the application groups assigned to the host pool and their type, and user
assignments to the application groups:

ﾉ Expand table

Application group types User assigned to Host pool preferred Resources

assigned to a single host application group application group type shown
pool types setting

Desktop only Desktop Desktop or RemoteApp Desktop

RemoteApp only RemoteApp Desktop or RemoteApp RemoteApp

applications

Desktop and RemoteApp Desktop Desktop or RemoteApp Desktop

 Application group types User assigned to Host pool preferred Resources
assigned to a single host application group application group type shown
pool types setting

Desktop and RemoteApp RemoteApp Desktop or RemoteApp RemoteApp

applications

Desktop and RemoteApp Both desktop and Desktop Desktop

RemoteApp

Desktop and RemoteApp Both desktop and RemoteApp RemoteApp

RemoteApp applications

Desktop and RemoteApp Both desktop and None Desktop

RemoteApp

Example scenarios
Here are some example scenarios that show how the preferred application group type
setting affects which types of remote resources are shown to users.

Scenario 1
In this scenario, a desktop application group and a RemoteApp application group are
assigned to the same host pool hp01 . User Tim is in the finance security group, which is
assigned to the desktop application group. User Gabriella is in the legal security group,
which is assigned to the RemoteApp application group.

The preferred application group type for host pool hp01 isn't relevant as users in the
finance security group only have access to the desktop application group and users in
the legal security group only have access to the RemoteApp application group. In
Windows App or the Remote Desktop app, Tim is shown the desktop, and Gabriella is
shown the RemoteApp applications.

Scenario 2
In this scenario, a desktop application group and a RemoteApp application group are
assigned to the same host pool hp01 . User Tim is in the finance security group, which is
assigned to the desktop application group. User Gabriella is in the legal security group,
which is assigned to both the desktop and RemoteApp application groups.

The preferred application group type for host pool hp01 is set to Desktop. In Windows
App or the Remote Desktop app, both Tim and Gabriella are shown the desktop.
Gabriella isn't shown any RemoteApp applications.

Scenario 3
In this scenario, a desktop application group is assigned to host pool hp01 and a
RemoteApp application group is assigned to host pool hp02 . User Tim is in the finance
security group and user Gabriella is in the legal security group. Both security groups are
assigned to the desktop application group and RemoteApp application group.

The preferred application group type for host pool hp01 is set to Desktop and the
preferred application group type for host pool hp02 is set to RemoteApp. In Windows
App or the Remote Desktop app, Tim and Gabriella are shown both desktop and
RemoteApp applications.

Next step
To learn how to set the preferred application group type, see Set the preferred
application group type for a pooled host pool in Azure Virtual Desktop.
Set the preferred application group type
for a pooled host pool in Azure Virtual
Desktop
Article • 06/11/2024

An application group is a logical grouping of applications that are available on session

hosts in a host pool. Application groups control whether a full desktop or which
applications from a host pool are available to users to connect to. An application group
can only be assigned to a single host pool, but you can assign multiple application
groups to the same host pool. Users can be assigned to multiple application groups
across multiple host pools, which enable you to vary the applications and desktops that
users can access.

When you create an application group, it can be one of two types:

Desktop: users access the full Windows desktop from a session host. Available with
pooled or personal host pools.

RemoteApp: users access individual applications you select and publish to the
application group. Available with pooled host pools only.

To help prevent users from connecting to a desktop and RemoteApp application at the
same time from application groups assigned to the same host pool, pooled host pools
have the setting Preferred application group type. This setting determines whether
users have access to the full desktop or RemoteApp applications from this host pool in
Windows App or the Remote Desktop app, should they be assigned to an application
group of each type to the same host pool.

For more information about the behavior of the preferred application group type setting
and why it's necessary, see Preferred application group type behavior for pooled host
pools in Azure Virtual Desktop.

This article shows you how to set the preferred application group type for a pooled host
pool using the Azure portal, Azure PowerShell, or Azure CLI.

Prerequisites
Before you can set the preferred application group type for a pooled host pool, you
need:
 An existing pooled host pool.

An Azure account you can use that has the Desktop Virtualization Host Pool
Contributor role-based access control (RBAC) role assigned.

If you want to use Azure PowerShell or Azure CLI locally, see Use Azure PowerShell
and Azure CLI with Azure Virtual Desktop to make sure you have the
Az.DesktopVirtualization PowerShell module or the desktopvirtualization Azure CLI
extension installed. Alternatively, use the Azure Cloud Shell.

Set the preferred application group type

Select the relevant tab for your scenario.

Portal

Here's how to set the preferred application group type for a host pool using the
Azure portal:

1. Sign in to the Azure portal .

2. In the search bar, enter Azure Virtual Desktop and select the matching service
entry.

3. Select Host pools, then select the name of the pooled host pool you want to
configure.

4. Select Properties.

5. For Preferred app group type, select either Desktop or RemoteApp from the
drop-down list.

6. Select Save.

Related content
 Learn about the Preferred application group type behavior for pooled host pools in
Azure Virtual Desktop

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

App attach and MSIX app attach in
Azure Virtual Desktop
Article • 11/19/2024

There are two features in Azure Virtual Desktop that enable you to dynamically attach
applications from an application package to a user session in Azure Virtual Desktop -
app attach and MSIX app attach. With both app attach and MSIX app attach, applications
aren't installed locally on session hosts or images, making it easier to create custom
images for your session hosts, and reducing operational overhead and costs for your
organization. Applications run within containers, which separate user data, the operating
system, and other applications, increasing security and making them easier to
troubleshoot.

The following table compares MSIX app attach with app attach:

ﾉ Expand table

MSIX app attach App attach

Applications are delivered using Applications are delivered using RemoteApp or as

RemoteApp or as part of a desktop session.
Permissions are controlled by assignment to
application groups, however all desktop
users see all MSIX app attach applications in
the desktop application group.
part of a desktop session. Permissions are applied
per application per user, giving you greater control
over which applications your users can access in a
remote session. Desktop users only see the app
attach applications assigned to them.

Applications might only run on one host The same application package can be used across
pool. If you want it to run on another host multiple host pools.
pool, you must create another package.

Applications can only run on the host pool Applications can run on any session host running a
in which they're added. Windows client operating system in the same
Azure region as the application package.

To update the application, you must delete Applications can be upgraded to a new application
and recreate the application with another version with a new disk image without the need for
version of the package. You should update a maintenance window.
the application in a maintenance window.

Users can't run two versions of the same Users can run two versions of the same application
application on the same session host. concurrently on the same session host.

Telemetry for usage and health is not Telemetry for usage and health is available through
available through Azure Log Analytics. Azure Log Analytics.
You can use the following application package types and file formats:

ﾉ Expand table

Package type File formats Feature availability

MSIX and MSIX bundle .msix MSIX app attach

.msixbundle App attach

Appx and Appx bundle .appx App attach only

.appxbundle

App-V .appv App attach only

MSIX and Appx are Windows application package formats that provide a modern
packaging experience to Windows applications. Applications run within containers,
which separate user data, the operating system, and other applications, increasing
security and making them easier to troubleshoot. MSIX and Appx are similar, where the
main difference is that MSIX is a superset of Appx. MSIX supports all the features of
Appx, plus other features that make it more suitable for enterprise use.

Microsoft Application Virtualization (App-V) for Windows delivers Win32 applications to

users as virtual applications. Virtual applications are installed on centrally managed
servers and delivered to users as a service in real time and on an as-needed basis. Users
launch virtual applications from familiar access points and interact with them as if they
were installed locally.

 Tip

Select a button at the top of this article to choose between app attach and MSIX
app attach to see the relevant documentation.

You can get MSIX packages from software vendors, or you can create an MSIX package
from an existing installer. To learn more about MSIX, see What is MSIX?

How a user gets an application

You can assign different applications to different users in the same host pool or on the
same session host. During sign-in, all three of the following requirements must be met
for the user to get the right application at the right time:

The application must be assigned to the host pool. Assigning the application to
the host pool enables you to be selective about which host pools the application is
 available on to ensure that the right hardware resources are available for use by
the application. For example, if an application is graphics-intensive, you can ensure
it only runs on a host pool with GPU-optimized session hosts.

The user must be able to sign-in to session hosts in the host pool, so they must be
in a Desktop or RemoteApp application group. For a RemoteApp application
group, the app attach application must be added to the application group, but you
don't need to add the application to a desktop application group.

The application must be assigned to the user. You can use a group or a user
account.

If all of these requirements are met, the user gets the application. This process provides
control over who gets an application on which host pool and also how it's possible for
users within a single host pool or even signed in to the same multi-session session host
to get different application combinations. Users who don’t meet the requirements don't
get the application.

Application images
Before you can use MSIX application packages with Azure Virtual Desktop, you need to
Create an MSIX image from your existing application packages. Alternatively, you can
use an App-V package instead. You then need to store each MSIX image or App-V
package on a file share that's accessible by your session hosts. For more information on
the requirements for a file share, see File share.

Disk image types

For MSIX and Appx disk images, you can use Composite Image File System (CimFS),
VHDX or VHD, but we don't recommend using VHD. Mounting and unmounting CimFS
images is faster than VHD and VHDX files and also consumes less CPU and memory. We
only recommend using CimFS for your application images if your session hosts are
running Windows 11.

A CimFS image is a combination of several files: one file has the .cim file extension and
contains metadata, together with at least two other files, one starting with objectid_
and the other starting with region_ that contain the actual application data. The files
accompanying the .cim file don't have a file extension. The following table is a list of
example files you'd find for a CimFS image:

ﾉ Expand table
 File name Size

MyApp.cim 1 KB

objectid_b5742e0b-1b98-40b3-94a6-9cb96f497e56_0 27 KB

objectid_b5742e0b-1b98-40b3-94a6-9cb96f497e56_1 20 KB

objectid_b5742e0b-1b98-40b3-94a6-9cb96f497e56_2 42 KB

region_b5742e0b-1b98-40b3-94a6-9cb96f497e56_0 428 KB

region_b5742e0b-1b98-40b3-94a6-9cb96f497e56_1 217 KB

region_b5742e0b-1b98-40b3-94a6-9cb96f497e56_2 264,132 KB

The following table is a performance comparison between VHDX and CimFS. These
numbers were the result of a test run with 500 files of 300 MB each per format and the
tests were performed on a DSv4 Azure virtual machine.

ﾉ Expand table

Metric VHD CimFS

Average mount time 356 ms 255 ms

Average unmount time 1615 ms 36 ms

Memory consumption 6% (of 8 GB) 2% (of 8 GB)

CPU (count spike) Maxed out multiple times No effect

Application registration
App attach mounts disk images or App-V packages containing your applications from a
file share to a user's session during sign-in, then a registration process makes the
applications available to the user. There are two types of registration:

MSIX app attach mounts disk images containing your applications from a file share to a
user's session during sign-in, then a registration process makes the applications
available to the user. There are two types of registration:

On-demand: applications are only partially registered at sign-in and the full
registration of an application is postponed until the user starts the application. On-
demand is the registration type we recommend you use as it doesn't affect the
 time it takes to sign-in to Azure Virtual Desktop. On-demand is the default
registration method.

Log on blocking: each application you assign to a user is fully registered.

Registration happens while the user is signing in to their session, which might
affect the sign-in time to Azure Virtual Desktop.

） Important

All MSIX and Appx application packages include a certificate. You're responsible for
making sure the certificates are trusted in your environment. Self-signed certificates
are supported with the appropriate chain of trust.

App attach doesn't limit the number of applications users can use. You should consider
your available network throughput and the number of open handles per file (each
image) your file share supports, as it might limit the number of users or applications you
can support. For more information, see File share.

Application state
Application packages are set as active or inactive. Packages set to active makes the
application available to users. Packages set to inactive are ignored by Azure Virtual
Desktop and not added when a user signs-in.

New versions of applications

You can add a new version of an application by supplying a new image containing the
updated application. You can use this new image in two ways:

Side by side: create a new application using the new disk image and assign it to
the same host pools and users as the existing application.

In-place: create a new image where the version number of the application
changes, then update the existing application to use the new image. The version
number can be higher or lower, but you can't update an application with the same
version number. Don't delete the existing image until all users are finished using it.

Once updated, users will get the updated application version the next time they sign-in.
Users don't need to stop using the previous version to add a new version.
Identity providers
Here are the identity providers you can use with app attach:

ﾉ Expand table

Identity provider Status

Microsoft Entra ID Supported

Active Directory Domain Services (AD DS) Supported

Microsoft Entra Domain Services Not supported

File share
App attach requires that your application images are stored on an SMB file share, which
is then mounted on each session host during sign-in. App attach doesn't have
dependencies on the type of storage fabric the file share uses. We recommend using
Azure Files as it's compatible with Microsoft Entra ID or Active Directory Domain
Services, and offers great value between cost and management overhead.

You can also use Azure NetApp Files, but that requires your session hosts to be joined to
Active Directory Domain Services.

The following sections provide some guidance on the permissions, performance, and
availability required for the file share.

Permissions
Each session host mounts application images from the file share. You need to configure
NTFS and share permissions to allow each session host computer object read access to
the files and file share. How you configure the correct permission depends on which
storage provider and identity provider you're using for your file share and session hosts.

To use Azure Files when your session hosts joined to Microsoft Entra ID, you need
to assign the Reader and Data Access Azure role-based access control (RBAC) role
to both the Azure Virtual Desktop and Azure Virtual Desktop ARM Provider
service principals. This RBAC role assignment allows your session hosts to access
the storage account using access keys or Microsoft Entra.

To learn how to assign an Azure RBAC role to the Azure Virtual Desktop service
principals, see Assign RBAC roles to the Azure Virtual Desktop service principals. In
 a future update, you won't need to assign the Azure Virtual Desktop ARM
Provider service principal.

For more information about using Azure Files with session hosts that are joined to
Microsoft Entra ID, Active Directory Domain Services, or Microsoft Entra Domain
Services, see Overview of Azure Files identity-based authentication options for
SMB access.

２ Warning

Assigning the Azure Virtual Desktop ARM Provider service principal to the
storage account grants the Azure Virtual Desktop service to all data inside the
storage account. We recommended you only store apps to use with app
attach in this storage account and rotate the access keys regularly.

For Azure Files with Active Directory Domain Services, you need to assign the
Storage File Data SMB Share Reader Azure role-based access control (RBAC) role as
the default share-level permission, and configure NTFS permissions to give read
access to each session host's computer object.

For more information about using Azure Files with session hosts that are joined to
Microsoft Entra ID, Active Directory Domain Services, or Microsoft Entra Domain
Services, see Overview of Azure Files identity-based authentication options for
SMB access.

For Azure NetApp Files, you can create an SMB volume and configure NTFS
permissions to give read access to each session host's computer object. Your
session hosts need to be joined to Active Directory Domain Services or Microsoft
Entra Domain Services.

You can verify the permissions are correct by using PsExec. For more information, see
Check file share access.

Performance
Requirements can vary greatly depending how many packaged applications are stored
in an image and you need to test your applications to understand your requirements.
For larger images, you need to allocate more bandwidth. The following table gives an
example of the requirements a single 1 GB image or App-V package containing one
application requires per session host:
 ﾉ Expand table

Resource Requirements

Steady state IOPs One IOP

Machine boot sign-in 10 IOPs

Latency 400 ms

To optimize the performance of your applications, we recommend:

Your file share should be in the same Azure region as your session hosts. If you're
using Azure Files, your storage account needs to be in the same Azure region as
your session hosts.

Exclude the disk images containing your applications from antivirus scans as
they're read-only.

Ensure your storage and network fabric can provide adequate performance. You
should avoid using the same file share with FSLogix profile containers.

Availability
Any disaster recovery plans for Azure Virtual Desktop must include replicating the file
share to your secondary failover location. You also need to ensure your file share path is
accessible in the secondary location. For example, you can use Distributed File System
(DFS) Namespaces with Azure Files to provide a single share name across different file
shares. To learn more about disaster recovery for Azure Virtual Desktop, see Set up a
business continuity and disaster recovery plan.

Azure Files
Azure Files has limits on the number of open handles per root directory, directory, and
file. When using app attach or MSIX app attach, VHDX or CimFS disk images are
mounted using the computer account of the session host, meaning one handle is
opened per session host per disk image, rather than per user. For more information on
the limits and sizing guidance, see Azure Files scalability and performance targets and
Azure Files sizing guidance for Azure Virtual Desktop.

MSIX and Appx package certificates

All MSIX and Appx packages require a valid code signing certificate. To use these
packages with app attach, you need to ensure the whole certificate chain is trusted on
your session hosts. A code signing certificate has the object identifier
1.3.6.1.5.5.7.3.3 . You can get a code signing certificate for your packages from:

A public certificate authority (CA).

An internal enterprise or standalone certificate authority, such as Active Directory

Certificate Services. You need to export the code signing certificate, including its
private key.

A tool such as the PowerShell cmdlet New-SelfSignedCertificate that generates a

self-signed certificate. You should only use self-signed certificates in a test
environment. For more information on creating a self-signed certificate for MSIX
and Appx packages, see Create a certificate for package signing.

Once you've obtained a certificate, you need to digitally sign your MSIX or Appx
packages with the certificate. You can use the MSIX Packaging Tool to sign your
packages when you create an MSIX package. For more information, see Create an MSIX
package from any desktop installer.

To ensure the certificate is trusted on your session hosts, you need your session hosts to
trust the whole certificate chain. How you do this depends on where you got the
certificate from and how you manage your session hosts and the identity provider you
use. The following table provides some guidance on how to ensure the certificate is
trusted on your session hosts:

Public CA: certificates from a public CA are trusted by default in Windows and
Windows Server.

Internal Enterprise CA:

For session hosts joined to Active Directory, with AD CS configured as the

internal enterprise CA, are trusted by default and stored in the configuration
naming context of Active Directory Domain Services. When AD CS is a
configured as a standalone CA, you need to configure Group Policy to distribute
the root and intermediate certificates to session hosts. For more information,
see Distribute certificates to Windows devices by using Group Policy.

For session hosts joined to Microsoft Entra ID, you can use Microsoft Intune to
distribute the root and intermediate certificates to session hosts. For more
information, see Trusted root certificate profiles for Microsoft Intune.
 For session hosts using Microsoft Entra hybrid join, you can use either of the
previous methods, depending on your requirements.

Self-signed: install the trusted root to the Trusted Root Certification Authorities
store on each session host. We don't recommend distributing this certificate using
Group Policy or Intune as it should only be used for testing.

） Important

You should timestamp your package so that its validity can outlast your certificate's
expiration date. Otherwise, once the certificate has expired, you need to update the
package with a new valid certificate and once again ensure it's trusted on your
session hosts.

Next steps
Learn how to Add and manage app attach applications in Azure Virtual Desktop.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Create an MSIX image to use with app
attach in Azure Virtual Desktop
Article • 06/06/2024

To use MSIX packages with app attach and MSIX app attach in Azure Virtual Desktop,
you need to expand an MSIX package application into an MSIX image. This article shows
you how to create an MSIX image.

Prerequisites
Before you can create an MSIX image, you need the following things:

Download the MSIXMGR tool and extract it to a folder.

Administrative permissions on a Windows 10 or Windows 11 device to create the

MSIX image.

An MSIX-packaged application ( .msix file) you want to use with Azure Virtual
Desktop. To learn how to convert a desktop installer to an MSIX package, see
Create an MSIX package from any desktop installer (MSI, EXE, ClickOnce, or App-
V).

 Tip

You can download an application that is already available as an MSIX package

from several software vendors. Microsoft XML Notepad is available to
download as an MSIX package. You can get the latest release from GitHub
by downloading the file with the .msixbundle file extension.

７ Note

If you're using packages from the Microsoft Store for Business or Education
on your network or on devices not connected to the internet, you'll need to
download and install package licenses from the Microsoft Store to run the
apps. To get the licenses, see Use packages offline.

Create an app attach disk image

When creating an MSIX image, you convert an MSIX package to a VHD, VHDX, or CIM
disk image using the MSIXMGR tool. We recommend using CIM for best performance,
particularly with Windows 11, as it consumes less CPU and memory, with improved
mounting and unmounting times. We don't recommend using VHD; use VHDX instead.

Select the relevant tab for your scenario.

CIM

Here are example commands to create a CIM disk image from an MSIX package.
You'll need to change the example values for your own.

You should create a new folder for the destination because a CIM disk image is
made up of multiple files and this helps differentiate between the images.

） Important

To guarantee compatibility, make sure the CIM files storing your MSIX images
are generated on a version of Windows that is lower than or equal to the
version of Windows where you are planning to run the MSIX packages. For
example, CIM files generated on Windows 11 may not work on Windows 10.

1. Open command prompt as an administrator and change to the directory you

extracted the MSIXMGR tool.

2. Make sure the folder you use for the destination exists before you run
MSIXMGR. Create a new folder if necessary.

3. To create the CIM disk image, run the following command:

Windows Command Prompt

msixmgr.exe -Unpack -packagePath "C:\msix\myapp.msix" -destination

"C:\msix\myapp\myapp.cim" -applyACLs -create -fileType cim -
rootDirectory apps

The output should be similar to the following example:

Output

Successfully created the CIM file: C:\msix\myapp\myapp.cim

Next steps
After you've created the MSIX package, you need to store it on a file share and add the
MSIX package to Azure Virtual Desktop.

Here are some other articles you might find helpful:

App attach in Azure Virtual Desktop

Learn more about the available MSIXMGR tool parameters.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Add and manage app attach and MSIX
app attach applications in Azure Virtual
Desktop
Article • 03/04/2024

 Tip

A new version of app attach for Azure Virtual Desktop is available. Select a button
at the top of this article to choose between app attach and MSIX app attach to see
the relevant documentation.

App attach enables you to dynamically attach applications from an application package
to a user session in Azure Virtual Desktop. Applications aren't installed locally on session
hosts or images, enabling you to create fewer custom images for your session hosts,
and reducing operational overhead and costs for your organization. Delivering
applications with app attach also gives you greater control over which applications your
users can access in a remote session.

This article shows you how to add and manage applications with app attach in Azure
Virtual Desktop using the Azure portal and Azure PowerShell. You can't add or manage
app attach applications using Azure CLI. Before you start, make sure you read the
overview for app attach and MSIX app attach in Azure Virtual Desktop.

） Important

You have to choose whether you want to use app attach or MSIX app attach with a
host pool. You can't use both versions with the same host pool.

Prerequisites
In order to use app attach in Azure Virtual Desktop, you need the following things:

An existing host pool with session hosts, an application group, and a workspace.

Your session hosts need to run a supported Windows client operating system and
at least one of them must be powered on. Windows Server isn't supported.
 Your session hosts need to be joined to Microsoft Entra ID or an Active Directory
Domain Services (AD DS) domain.

An SMB file share in the same Azure region as your session hosts. All session hosts
in the host pool must have read access with their computer account. This file share
is used to store your application images. For more information on the
requirements for the file share, see File share.

To use Azure Files when your session hosts joined to Microsoft Entra ID, you need
to assign the Reader and Data Access Azure role-based access control (RBAC) role
to both the Azure Virtual Desktop and Azure Virtual Desktop ARM Provider
service principals. This RBAC role assignment allows your session hosts to access
the storage account using access keys or Microsoft Entra.

To learn how to assign an Azure RBAC role to the Azure Virtual Desktop service
principals, see Assign RBAC roles to the Azure Virtual Desktop service principals. In
a future update, you won't need to assign the Azure Virtual Desktop ARM
Provider service principal.

An MSIX or Appx disk image that you created from an application package or an
App-V package stored on the file share. For more information, see Create an
image, where you can also download a prebuilt MSIX package for testing. If using
App-V, see Creating and managing App-V virtualized applications.

To add MSIX images, you need the Desktop Virtualization Contributor Azure role-
based access control (RBAC) role assigned on the resource group as a minimum. To
assign users to the application group, you also need
Microsoft.Authorization/roleAssignments/write permissions on the application

group. Built-in RBAC roles that include this permission are User Access
Administrator and Owner.

If you want to use Azure PowerShell locally, see Use Azure PowerShell with Azure
Virtual Desktop to make sure you have the Az.DesktopVirtualization and Microsoft
Graph PowerShell modules installed. Alternatively, use the Azure Cloud Shell.

You need to use version 4.2.1 of the Az.DesktopVirtualization PowerShell module,

which contains the cmdlets that support app attach. You can download and install
the Az.DesktopVirtualization PowerShell module from the PowerShell Gallery .

） Important

All MSIX and Appx application packages include a certificate. You're

responsible for making sure the certificates are trusted in your environment.
 Self-signed certificates are supported with the appropriate chain of trust.

You have to choose whether you want to use app attach or MSIX app attach
with a host pool. You can't use both versions with the same package in the
same host pool.

Add an application
To add an application in an MSIX image, Appx image, or App-V package to Azure Virtual
Desktop as an app attach package, select the relevant tab for your scenario and follow
the steps.

Portal

Here's how to add an MSIX image, Appx image, or App-V package as an app attach
package using the Azure portal:

1. Sign in to the Azure portal .

2. In the search bar, type Azure Virtual Desktop and select the matching service
entry to go to the Azure Virtual Desktop overview.

3. Select App attach, then select + Create.

4. On the Basics tab, complete the following information:

ﾉ Expand table

Parameter Description

Subscription Select the subscription you want to add an MSIX image, Appx image,
or App-V package to from the drop-down list.

Resource Select an existing resource group or select Create new and enter a
group name.

Host pool Select an existing host pool from the drop-down list.

Location Select the Azure region for your app attach package.

Once you've completed this tab, select Next.

5. On the Image path tab, complete the following information:

 ﾉ Expand table

Parameter Description

Image path Select from Select from storage account if your image is stored in
Azure Files or Input UNC to specify a UNC path. Subsequent fields
depend on which option you select.

Select from
storage account

Storage account Select the storage account your image is in.

File share Select Select a file, then browse to the file share and directory your
image is in. Check the box next to the image you want to add, for
example MyApp.cim , then select Select.

MSIX package Select the MSIX or Appx package from the image.

Input UNC

UNC Enter the UNC path to your image file.

MSIX package Select the MSIX or Appx package from the image.

Either option

Display name Enter a friendly name for your application.

Version Check the expected version number is shown.

Registration type Select the registration type you want to use.

State Select the initial state for the package.

Health check Select the status for the package if it fails to stage on a session
status on failure host. This status is reported for AppAttachHealthCheck for the
session host health check status.

Once you've completed this tab, select Next.

 Tip

Once you've completed this tab, you can continue to optionally assign
the application to host pools, users and groups. Alternatively, if you want
to configure assignments separately, select Review + create, then go to
Assign an app attach package.

6. Optional: On the Assignments tab, complete the following information:

 a. For Host pool, select which host pools you want to assign the application
to. If you're already using MSIX app attach with a host pool, you can't select
that host pool as you can't use both versions of app attach with the same
host pool.

b. Select Add users or user groups, then search for and select the users or
groups you want to assign the application to. Once you have finished,
select Select.

c. Review the assignments you added, then select Next.

7. Optional: On the Tags tab, you can enter any name/value pairs you need, then
select Review + create.

8. On the Review + create tab, ensure validation passes and review the
information that is used during deployment, then select Create to add the
application.

Assign an app attach package

You need to assign an app attach package to host pools as well as groups and users.
Select the relevant tab for your scenario and follow the steps.

７ Note

User accounts need to be hybrid accounts (created in AD DS and synchronized to

Azure AD), but groups do not.

Portal

Here's how to assign an application package to host pools, users and groups using
the Azure portal:

Host pools
1. From the Azure Virtual Desktop overview, select App attach, then select the
name of the app attach package you want to assign.

2. In the section Manage, select Host pools:

 3. Select + Assign, then select one or more host pools from the drop-down list.
Make sure that all session hosts in the host pool must have read access with
their computer account, as listed in the prerequisites.

4. Select Add.

Groups and users

1. From the Azure Virtual Desktop overview, select App attach, then select the
name of the app attach package you want to assign.

2. In the section Manage, select Users:

3. Select + Add, then select one or more groups and/or users from the list.

4. Select Select.

７ Note

Adding a package, setting it to active, and assigning it to a host pool and users
automatically makes the application available in a desktop session. If you want to
use RemoteApp, you'll need to add the application to a RemoteApp application
group. For more information, see Publish an MSIX or Appx application with a
RemoteApp application group. You can't add MSIX or Appx applications to the
desktop application group with app attach.

Change registration type and state

You can manage your MSIX and Appx packages by changing their registration type and
state. Select the relevant tab for your scenario and follow the steps.

Portal

Here's how to change a package's registration type and state using the Azure
portal:

1. From the Azure Virtual Desktop overview, select App attach. You should see a
list of all existing packages within the host pool.

2. Select the name of the package you want to change.

 a. To change the registration type, select On-demand or Register at log on,
then select Save.

b. To change the state, select Inactive or Active, then select Save.

Publish an MSIX or Appx application with a

RemoteApp application group
You can make MSIX and Appx applications available to users by publishing them with a
RemoteApp application group. You don't need to add applications to a desktop
application group when using app attach as you only need to Assign an app attach
package. The application you want to publish must be assigned to a host pool.

Portal

Here's how to add an application from the package you added in this article to a
RemoteApp application group using the Azure portal:

1. From the Azure Virtual Desktop overview, select Application groups, then
select the RemoteApp application group you want to add an application to.

2. Select Applications, select + Add. Make sure you have at least one session
host powered on in the host pool the application group is assigned to.

3. On the Basics tab, complete the following information:

ﾉ Expand table

Parameter Value/Description

Application Select App Attach from the drop-down list. If you want to add
source applications from the Start menu or by specifying a file path, see
Publish applications with RemoteApp.

Package Select a package available for the host pool from the drop-down list.
Regional packages are from app attach.

Application Select an application from the drop-down list.

Application Enter a unique identifier for the application.

identifier

Display name Enter a friendly name for the application that is to users.
 Parameter Value/Description

Description Enter a description for the application.

Once you've completed this tab, select Next.

4. On the Icon tab, select Default to use the default icon for the application, or
select File path to use a custom icon. For File path, select one of the following
options:

Browse Azure Files to use an icon from an Azure file share. Select Select
a storage account and select the storage account containing your icon
file, then select Select icon file. Browse to the file share and directory
your icon is in, check the box next to the icon you want to add, for
example MyApp.ico , then select Select. You can also use a .png file. For
Icon index, specify the index number for the icon you want to use. This
number is usually 0.

UNC file path to use an icon from a file share. For Icon path, enter the
UNC path to your icon file, for example \\MyFileShare\MyApp.ico . You
can also use a .png file. For Icon index, specify the index number for the
icon you want to use. This number is usually 0.

Once you've completed this tab, select Review + add.

5. On the Review + add tab, ensure validation passes and review the information
that is used to add the application, then select Add to add the application to
the RemoteApp application group.

Update an existing package

You can update an existing package by supplying a new MSIX image, Appx image, or
App-V package containing the updated application. For more information, see New
versions of applications.

To update an existing package in-place, select the relevant tab for your scenario and
follow the steps.

Portal

Here's how to update an existing package using the Azure portal:

 1. From the Azure Virtual Desktop overview, select App attach. You should see a
list of all existing packages.

2. Select the package you want to update, then from the overview, select
Update.

3. Enter the information for the updated package:

a. Subscription and Resource group are prepopulated with the values for the
current package.

b. Select the Host pool for which you want to update the package.

c. Select the image path from Select from storage account or Input UNC.
Subsequent fields depend on which option you select.
i. For Select from storage account, select the Storage account containing
the updated image. Select Select a file, then browse to the file share and
directory your image is in. Check the box next to the image you want to
add, for example MyApp.cim , then select Select.
ii. For Input UNC, enter the UNC path to your image file.

d. For MSIX package, select the MSIX or Appx package from the image.

4. Once you've completed the fields, select Update.

Remove an app attach package

You can remove an app attach package that you no longer need. You don't need to
unassign host pools or users and groups first. Select the relevant tab for your scenario
and follow the steps.

 Tip

You can also remove an application in an MSIX package published as a RemoteApp

from an application group the same way as other application types. For more
information, see Remove applications.

Portal

Here's how to remove an app attach package using the Azure portal:
 1. From the Azure Virtual Desktop overview, select App attach. You should see a
list of all existing packages.

2. Check the box next to the name of the package you want to remove, then
select Remove. The package is also removed from any host pools it's assigned
to.

Disable automatic updates

We recommend that you disable automatic updates for MSIX and Appx applications. To
disable automatic updates, you need set the following registry values on your session
hosts:

Key: HKLM\Software\Policies\Microsoft\WindowsStore
Type: DWORD
Name: AutoDownload
Value: 2
Description: Disables Microsoft Store automatic update.

Key: HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager
Type: DWORD
Name: PreInstalledAppsEnabled
Value: 0
Description: Disables content delivery automatic download.

Key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\D
ebug
Type: DWORD
Name: ContentDeliveryAllowedOverride
Value: 2
Description: Disables content delivery automatic download.

You can set these registry values using Group Policy or Intune, depending on how your
session hosts are managed. You can also set them by running the following PowerShell
commands as an administrator on each session host, but if you do this, you should also
set them in your operating system image:

PowerShell

# Disable Microsoft Store automatic update

If (!(Test-Path "HKLM:\Software\Policies\Microsoft\WindowsStore")) {
 New-Item -Path "HKLM:\Software\Policies\Microsoft\WindowsStore" -Force
}
New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\WindowsStore" -
Name AutoDownload -PropertyType DWORD -Value 2 -Force

# Disable content delivery automatic download

If (!(Test-Path
"HKCU:\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager")) {
New-Item -Path
"HKCU:\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -
Force
}
New-ItemProperty -Path
"HKCU:\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -
Name PreInstalledAppsEnabled -PropertyType DWORD -Value 0 -Force

# Disables content delivery automatic download

If (!(Test-Path
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Debu
g")) {
New-Item -Path
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Debu
g" -Force
}
New-ItemProperty -Path
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Debu
g" -Name ContentDeliveryAllowedOverride -PropertyType DWORD -Value 2 -Force

Next steps
Learn how to publish applications from the start menu or a file path with RemoteApp.
For more information, see Publish applications.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Test MSIX packages for app attach
Article • 03/04/2024

This article shows you how to mount MSIX packages outside of Azure Virtual Desktop to
help test your packages for app attach. The APIs that power app attach are available for
Windows 11 Enterprise and Windows 10 Enterprise. These APIs can be used outside of
Azure Virtual Desktop for testing, however there's no management plane for app attach
or MSIX app attach outside of Azure Virtual Desktop.

For more information about app attach and MSIX app attach, see app attach and MSIX
app attach in Azure Virtual Desktop.

Prerequisites
Before you can test a package to follow the directions in this article, you need the
following things:

A device running Windows 11 Enterprise or Windows 10 Enterprise.

An application you expanded from MSIX format into an image you can use with
app attach. Learn how to Create an MSIX image to use with app attach in Azure
Virtual Desktop.

If you're using a CimFS image, you need to install the CimDiskImage PowerShell
module .

A user account that has local administrator permission on the device you're using
to test the MSIX package.

You don't need an Azure Virtual Desktop deployment because this article describes a
process for testing outside of Azure Virtual Desktop.

７ Note

Microsoft Support doesn't support CimDiskImage PowerShell module, so if you run

into any problems, you'll need to submit a request on the module's GitHub
repository .

Phases
To use MSIX packages outside of Azure Virtual Desktop, there are four distinct phases
that you must perform in the following order:

1. Stage
2. Register
3. Deregister
4. Destage

Staging and destaging are machine-level operations, while registering and deregistering
are user-level operations. The commands you need to use vary based on which version
of PowerShell you're using and whether your disk images are in CimFS, VHDX or VHD
format.

７ Note

All MSIX packages include a certificate. You're responsible for making sure the
certificates for MSIX packages are trusted in your environment.

Prepare to stage an MSIX package

The staging script prepares your machine to receive the MSIX package and mounts the
relevant package to your machine.

Select the relevant tab for the version of PowerShell you're using.

PowerShell 6 and later

To stage packages using PowerShell 6 or later, you need to run the following
commands before the staging operations to bring the capabilities of the Windows
Runtime package to PowerShell.

1. Open a PowerShell prompt as an administrator.

2. Run the following command to download and install the Windows Runtime
Package. You only need to run the following commands once per machine.

PowerShell

#Required for PowerShell 6 and later

$nuGetPackageName = 'Microsoft.Windows.SDK.NET.Ref'
Register-PackageSource -Name MyNuGet -Location
https://www.nuget.org/api/v2 -ProviderName NuGet
Find-Package $nuGetPackageName | Install-Package
 3. Next, run the following command to make the Windows Runtime components
available in PowerShell:

PowerShell

#Required for PowerShell 6 and later

$nuGetPackageName = 'Microsoft.Windows.SDK.NET.Ref'
$winRT = Get-Package $nuGetPackageName
$dllWinRT = Get-ChildItem (Split-Path -Parent $winRT.Source) -
Recurse -File WinRT.Runtime.dll
$dllSdkNet = Get-ChildItem (Split-Path -Parent $winRT.Source) -
Recurse -File Microsoft.Windows.SDK.NET.dll
Add-Type -AssemblyName $dllWinRT.FullName
Add-Type -AssemblyName $dllSdkNet.FullName

Stage an MSIX package

Now that you prepared your machine to stage MSIX packages, you need to mount your
disk image, then finish staging your MSIX package.

Mount a disk image

The process to mount a disk image varies depending on whether you're using the
CimFs, VHDX, or VHD format for your disk image. Select the relevant tab for the format
you're using.

CimFS

To mount a CimFS disk image:

1. In the same PowerShell session, run the following command:

PowerShell

$diskImage = "<Local or UNC path to the disk image>"

$mount = Mount-CimDiskImage -ImagePath $diskImage -PassThru -

NoMountPath

#We can now get the Device Id for the mounted volume, this will be
useful for the destage step.
$deviceId = $mount.DeviceId
Write-Output $deviceId
 2. Keep the variable $deviceId . You need this information later in this article.

3. When you're done, proceed to Finish staging a disk image.

Finish staging a disk image

Finally, you need to run the following commands for all image formats to complete
staging the disk image. This command uses the $deviceId variable you created when
you mounted your disk image in the previous section.

1. In the same PowerShell session, retrieve the application information by running the
following commands:

PowerShell

$manifest = Get-ChildItem -LiteralPath $deviceId -Recurse -File

AppxManifest.xml
$manifestFolder = $manifest.DirectoryName

2. Get the MSIX package full name and store it in a variable by running the following
commands. This variable is needed for later steps.

PowerShell

$msixPackageFullName = $manifestFolder.Split('\')[-1]
Write-Output $msixPackageFullName

3. Create an absolute URI for the manifest folder for the Package Manager API by
running the following commands:

PowerShell

$folderUri = $maniFestFolder.Replace('\\?\','file:\\\')
$folderAbsoluteUri = ([Uri]$folderUri).AbsoluteUri

4. Use the absolute URI to stage the application package by running the following
commands:

PowerShell

$asTask = ([System.WindowsRuntimeSystemExtensions].GetMethods() |
Where-Object { $_.ToString() -eq
'System.Threading.Tasks.Task`1[TResult] AsTask[TResult,TProgress]
 (Windows.Foundation.IAsyncOperationWithProgress`2[TResult,TProgress])'
})[0]
$asTaskAsyncOperation =
$asTask.MakeGenericMethod([Windows.Management.Deployment.DeploymentResu
lt], [Windows.Management.Deployment.DeploymentProgress])

$packageManager = New-Object -TypeName

Windows.Management.Deployment.PackageManager

$asyncOperation = $packageManager.StagePackageAsync($folderAbsoluteUri,
$null, "StageInPlace")

5. Monitor the staging progress for the application package by running the following
commands. The time it takes to stage the package depends on its size. The Status
property of the $stagingResult variable will be RanToCompletion when the staging
is complete.

PowerShell

$stagingResult = $asTaskAsyncOperation.Invoke($null,
@($asyncOperation))

while ($stagingResult.Status -eq "WaitingForActivation") {

Write-Output "Waiting for activation..."
Start-Sleep -Seconds 5
}

Write-Output $stagingResult

Once your MSI package is staged, you can register your MSIX package.

Register an MSIX package

To register an MSIX package, run the following commands in the same PowerShell
session. This command uses the $msixPackageFullName variable created in a previous
section.

PowerShell

$manifestPath = Join-Path (Join-Path $Env:ProgramFiles 'WindowsApps') (Join-

Path $msixPackageFullName AppxManifest.xml)
Add-AppxPackage -Path $manifestPath -DisableDevelopmentMode -Register

Now that your MSIX package is registered, your application should be available for use
in your session. You can now open the application for testing and troubleshooting. Once
you're finished, you need to deregister and destage your MSIX package.
Deregister an MSIX package
Once you're finished with your MSIX package and are ready to remove it, first you need
to deregister it. To deregister the MSIX package, run the following commands in the
same PowerShell session. These commands get the disk's DeviceId parameter again,
and remove the package using the $msixPackageFullName variable created in a previous
section.

PowerShell

$appPath = Join-Path (Join-Path $Env:ProgramFiles 'WindowsApps')

$msixPackageFullName
$folderInfo = Get-Item $appPath
$deviceId = '\\?\' + $folderInfo.Target.Split('\')[0] +'\'
Write-Output $deviceId #Save this for later

Remove-AppxPackage $msixPackageFullName -PreserveRoamableApplicationData

Destage an MSIX package

Finally, to destage the MSIX package, you need to dismount your disk image, run the
following command in the same PowerShell session to ensure that the package isn't still
registered for any user. This command uses the $msixPackageFullName variable created
in a previous section.

PowerShell

Remove-AppxPackage -AllUsers -Package $msixPackageFullName -ErrorAction

SilentlyContinue

Dismount the disks image

To finish the destaging process, you need to dismount the disks from the system. The
command you need to use depends on the format of your disk image. Select the
relevant tab for the format you're using.

CimFS

To dismount a CimFS disk image, run the following commands in the same
PowerShell session:

PowerShell
 Dismount-CimDiskImage -DeviceId $deviceId

Once you finished dismounting your disks, you've safely removed your MSIX package.

Set up simulation scripts for the MSIX app

attach agent
If you want to add and remove MSIX packages to your device automatically, you can use
the PowerShell commands in this article to create scripts that run at startup, logon,
logoff, and shutdown. To learn more, see Using startup, shutdown, logon, and logoff
scripts in Group Policy. You need to make sure that any variables required for each
phase are available in each script.

You create a script for each phase:

The startup script runs the stage process.

The logon script runs the register process.
The logoff script runs the deregister process.
The shutdown script runs the destage process.

７ Note

You can use task scheduler to run the stage script. To run the script, set the task
trigger to When the computer starts and enable Run with highest privileges.

Use packages offline

If you're using packages on devices that aren't connected to the internet, you need to
make sure the package licenses are installed on your device to successfully run the app.
If your device is online, the required licenses should download automatically.

To install the license files, you need to use a PowerShell script that calls the
MDM_EnterpriseModernAppManagement_StoreLicenses02_01 class in the WMI Bridge

Provider.

Here's how to set up a license for offline use:

1. Download the app package, license, and required frameworks from the Microsoft
Store for Business. You need both the encoded and unencoded license files. To
 learn how to download an offline-licensed app, see Distribute offline apps.

2. Run the following PowerShell commands as an administrator. You can install the
license is at the end of the staging phase. You need to edit the following variables:

$contentID is the ContentID value from the unencoded license file ( .xml ).

You can open the license file in a text editor of your choice.

$licenseBlob is the entire string for the license blob in the Encoded license

file ( .bin ). You can open the encoded license file in a text editor of your
choice.

PowerShell

$namespaceName = "root\cimv2\mdm\dmmap"
$className =
"MDM_EnterpriseModernAppManagement_StoreLicenses02_01"
$methodName = "AddLicenseMethod"
$parentID =
"./Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLice
nses"

#Update $contentID with the ContentID value from the unencoded

license file (.xml)
$contentID = "{'ContentID'_in_unencoded_license_file}"

#Update $licenseBlob with the entire String in the encoded license

file (.bin)
$licenseBlob = "{Entire_String_in_encoded_license_file}"

$session = New-CimSession

#The final string passed into the AddLicenseMethod should be of

the form <License Content="encoded license blob" />
$licenseString = '<License Content='+ '"' + $licenseBlob +'"' + '
/>'

$params = New-Object
Microsoft.Management.Infrastructure.CimMethodParametersCollection
$param =
[Microsoft.Management.Infrastructure.CimMethodParameter]::Create("
param",$licenseString ,"String", "In")
$params.Add($param)

try
{
$instance = New-CimInstance -Namespace $namespaceName -
ClassName $className -Property
@{ParentID=$parentID;InstanceID=$contentID}
$session.InvokeMethod($namespaceName, $instance, $methodName,
$params)
}
 catch [Exception]
{
Write-Host $_ | Out-String
}

Demonstration scripts
You can find demonstration scripts for all four stages of testing MSIX packages and
syntax help for how to use them in our GitHub repository . These scripts work with any
version of PowerShell and any disk image format.

Next steps
Learn more about app attach and MSIX app attach in Azure Virtual Desktop:

app attach and MSIX app attach.

Add and manage app attach and MSIX app attach applications.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Migrate MSIX packages from MSIX app
attach to app attach
Article • 11/26/2024

App attach improves the administrative and user experiences over MSIX app attach. If
you use MSIX app attach, you can migrate your MSIX packages to app attach using a
PowerShell script.

The migration script can perform the following actions:

Creates a new app attach package object and can delete the original MSIX
package object, if necessary.

Copy permissions from application groups associated with the host pool and MSIX
package.

Copy the location and resource group of the host pool and MSIX package.

Log migration activity.

Prerequisites
To use the migration script, you need:

A host pool configured as a validation environment, with at least one MSIX

package added with MSIX app attach.

An Azure account with the Desktop Virtualization Contributor Azure role-based

access control (RBAC) role assigned on the host pool.

A local device with PowerShell. Make sure you have the latest versions of Az
PowerShell and Microsoft Graph PowerShell SDK installed. Specifically, the
following modules are required:
Az.DesktopVirtualization
Az.Accounts
Az.Resources
Microsoft.Graph.Authentication

Parameters
Here are the parameters you can use with the migration script:
 ﾉ Expand table

Parameter Description

MsixPackage The MSIX package object to migrate to an app attach object. This value
can be passed in via pipeline.

PermissionSource Where to get permissions from for the new app attach object. Defaults
to no permissions granted. The options are:
DAG : the desktop application group associated with the host
pool and MSIX package
RAG : one or more RemoteApp application groups associated
with the host pool and MSIX package

Both options grant permission to all users and groups with any
permission that is scoped specifically to the application group.

HostPoolsForNewPackage Resource IDs of host pools to associate new app attach object with.
Defaults to no host pools. Host pools must be in the same location as
the app attach packages they're associated with.

TargetResourceGroupName Resource group to store the new app attach object. Defaults to
resource group of host pool that the MSIX package is associated with.

Location Azure region to create new app attach object in. Defaults to location of
host pool that the MSIX package is associated with. App attach
packages have to be in the same location as the host pool they're
associated with.

DeleteOrigin Delete source MSIX package after migration.

IsActive Enables the new app attach object.

DeactivateOrigin Disables source MSIX package object after migration.

PassThru Passes new app attach object through. Passthru returns the object for
the created package. Use this value if you want to inspect it or pass it
to another PowerShell command.

LogInJSON Write to the log file in JSON Format.

LogFilePath Path of the log file, defaults to MsixMigration[Timestamp].log in a

temp folder, such as
C:\Users\%USERNAME%\AppData\Local\Temp\MsixMigration<DATETIME>.log .
The path for logging is written to the console when the script is run.

Download and run the migration script

Here's how to migrate MSIX packages from MSIX app attach to app attach.
 ） Important

In the following examples, you'll need to change the <placeholder> values for your
own.

1. Open a PowerShell prompt on your local device.

2. Download the PowerShell script Migrate-MsixPackagesToAppAttach.ps1 and

unblock it by running the following commands:

PowerShell

$url = "https://raw.githubusercontent.com/Azure/RDS-
Templates/master/msix-app-attach/MigrationScript/Migrate-
MsixPackagesToAppAttach.ps1"
$filename = $url.Split('/')[-1]

Invoke-WebRequest -Uri $url -OutFile $filename | Unblock-File

3. Import the required modules by running the following commands:

PowerShell

Import-Module Az.DesktopVirtualization
Import-Module Az.Accounts
Import-Module Az.Resources
Import-Module Microsoft.Graph.Authentication

4. Connect to Azure by running the following command and following the prompts
to sign in to your Azure account:

PowerShell

Connect-AzAccount

5. Connect to Microsoft Graph by running the following command:

PowerShell

Connect-MgGraph -Scopes "Group.Read.All"

The following subsections contain some examples of how to use the migration script.
Refer to the parameters section for all the available parameters and a description of
each parameter.
  Tip

If you don't pass any parameters to the migration script, it has the following default
behavior:

No permissions are granted to the new app attach package.

The new app attach package isn't associated with any host pools and is
inactive.
The new app attach package is created in the same resource group and
location as the host pool.
The original MSIX package is still active isn't disable or deleted.
Log information is written to the default file path.

Migrate a specific MSIX package added to a host pool

and application group
Here's an example to migrate a specific MSIX package added to a host pool from MSIX
app attach to app attach. This example:

Migrates the MSIX package to the same resource group and location as the host
pool.
Assigns the MSIX package in app attach to the same host pool and the same users
as the RemoteApp application group source.
Leaves the existing MSIX package configuration in MSIX app attach active on the
host pool. If you want to disable the MSIX package immediately, use the -
DeactivateOrigin parameter.
Sets the new MSIX package configuration in app attach inactive. If you want to
enable the MSIX package immediately, use the -IsActive parameter.
Writes log information to the default file path and format.

1. From the same PowerShell prompt, get a list of MSIX packages added to a host
pool by running the following commands:

PowerShell

$parameters = @{
HostPoolName = '<HostPoolName>'
ResourceGroupName = '<ResourceGroupName>'
}

Get-AzWvdMsixPackage @parameters | Select-Object DisplayName, Name

 The output is similar to the following example:

Output

DisplayName Name
----------- ----
MyApp hp01/MyApp_1.0.0.0_neutral__abcdef123ghij

2. Find the MSIX package you want to migrate and use the value from the Name
parameter in the previous output:

PowerShell

$parameters = @{
HostPoolName = '<HostPoolName>'
ResourceGroupName = '<ResourceGroupName>'
}

$msixPackage = Get-AzWvdMsixPackage @parameters | ? Name -Match

'<MSIXPackageName>'
$hostPoolId = (Get-AzWvdHostPool @parameters).Id

3. Migrate the MSIX package by running the following commands:

PowerShell

$parameters = @{
PermissionSource = 'RAG'
HostPoolsForNewPackage = $hostPoolId
PassThru = $true
}

$msixPackage | .\Migrate-MsixPackagesToAppAttach.ps1 @parameters

Migrate all MSIX packages added to a host pool

Here's an example to migrate all MSIX packages added to a host pool from MSIX app
attach to app attach. This example:

Migrates MSIX packages to the same resource group and location.

Adds the new app attach packages to the same host pool.
Sets all app attach packages to active.
Sets all MSIX packages to inactive.
Copies permissions from the associated desktop application group.
 Writes log information to a custom file path at C:\MsixToAppAttach.log in JSON
format.

1. From the same PowerShell prompt, get all MSIX packages added to a host pool
and store them in a variable by running the following commands:

PowerShell

$parameters = @{
HostPoolName = '<HostPoolName>'
ResourceGroupName = '<ResourceGroupName>'
}

$msixPackages = Get-AzWvdMsixPackage @parameters

$hostPoolId = (Get-AzWvdHostPool @parameters).Id

2. Migrate the MSIX package by running the following commands:

PowerShell

$logFilePath = "C:\Temp\MsixToAppAttach.log"

$parameters = @{
IsActive = $true
DeactivateOrigin = $true
PermissionSource = 'DAG'
HostPoolsForNewPackage = $hostPoolId
PassThru = $true
LogInJSON = $true
LogFilePath = $LogFilePath
}

$msixPackages | .\Migrate-MsixPackagesToAppAttach.ps1 @parameters

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Deliver applications from partner
solutions to Azure Virtual Desktop with
app attach
Article • 11/04/2024

Several partners provide application delivery solutions to Azure Virtual Desktop via
integration with app attach. This article provides links to those partners where you can
read more about connecting to Azure Virtual Desktop. You can also use our native app
attach solution to dynamically deliver applications to your session hosts.

Partner application delivery

The following partners have application delivery solutions that have been approved to
use with Azure Virtual Desktop. Visit their documentation to learn how to deliver
applications to Azure Virtual Desktop.

ﾉ Expand table

Partner Partner documentation Partner support

Liquidware Liquidware FlexApp documentation Liquidware support

Numecent Numencent CloudPager documentation Numencent support

Omnissa Omnissa App Volumes documentation Omnissa support

） Important

If you encounter an issue when trying to deliver applications to Azure Virtual

Desktop session hosts, you must verify whether it's unique to your approved
partner. You can verify whether this is a unique issue by trying to reproduce it on
App attach overview. If you can't reproduce the issue on first-party app attach,
then you must contact your client's provider for support.

Next steps
Learn more about Remote Desktop clients at App attach overview.
Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

MSIXMGR tool parameters
Article • 03/05/2024

This article contains the command line parameters and syntax you can use with the
MSIXMGR tool.

Prerequisites
To use the MSIXMGR tool, you need:

Download the MSIXMGR tool .

Get an MSIX-packaged application ( .msix file).
A Windows device with administrative permissions to create the MSIX image.

-AddPackage
Add the package at specified file path.

-AddPackage <Path to the MSIX package>

or

-p <Path to the MSIX package>

Here's an example of using the -AddPackage parameter:

Windows Command Prompt

msixmgr.exe -AddPackage "C:\MSIX\myapp.msix"

-RemovePackage
Remove the package with specified package full name.
 -RemovePackage <Package name>

or

-x <Package name>

Here's an example of using the -RemovePackage parameter. You can find the package full
name by running the PowerShell cmdlet Get-AppxPackage.

Windows Command Prompt

msixmgr.exe -RemovePackage myapp_0.0.0.1_x64__8wekyb3d8bbwe

-FindPackage
Find a package with specific package full name.

-FindPackage <Package name>

Here's an example of using the -FindPackage parameter. You can find the package full
name by running the PowerShell cmdlet Get-AppxPackage.

Windows Command Prompt

msixmgr.exe -FindPackage myapp_0.0.0.1_x64__8wekyb3d8bbwe

-ApplyACLs
Apply ACLs to a package folder (an unpacked package). You also need to specify the
following required subparameters:

ﾉ Expand table
 Required Description
parameter

-packagePath The path to the package to unpack OR the path to a directory containing
multiple packages to unpack

-ApplyACLs -packagePath <Path to the package folder>

Here's an example of using the -ApplyACLs parameter:

Windows Command Prompt

msixmgr.exe -ApplyACLs -packagePath

"C:\MSIX\myapp_0.0.0.1_x64__8wekyb3d8bbwe"

-Unpack
Unpack a package in one of the file formats .appx , .msix , .appxbundle , or .msixbundle ,
and extract its contents to a folder. You also need to specify the following required
subparameters:

ﾉ Expand table

Required Description
parameter

-destination The directory to place the resulting package folder(s) in.

-fileType The type of file to unpack packages to. Valid file types include .vhd , .vhdx ,
.cim . This parameter is only required when unpacking to CIM files.

-packagePath The path to the package to unpack OR the path to a directory containing
multiple packages to unpack.

-rootDirectory Specifies root directory on image to unpack packages to. This parameter is
only required when unpacking to new and existing CIM files.

-Unpack -packagePath <Path to package to unpack OR path to a directory

containing multiple packages to unpack> -destination <Directory to place the
resulting package folder(s) in> -fileType <VHD | VHDX | CIM> -rootDirectory
<Root directory on image to unpack packages to>
Here's some examples of using the -Unpack parameter:

To unpack a package into a directory:

Windows Command Prompt

msixmgr.exe -Unpack -packagePath "C:\MSIX\myapp.msix" -destination

"C:\Apps\myapp"

To unpack a package into a VHDX disk image:

Windows Command Prompt

msixmgr.exe -Unpack -packagePath "C:\MSIX\myapp.msix" -destination

"C:\Apps\myapp\myapp.vhdx" -applyACLs -create -filetype VHDX -
rootDirectory apps

To unpack a package into a CIM disk image:

Windows Command Prompt

msixmgr.exe -Unpack -packagePath "C:\MSIX\myapp.msix" -destination

"C:\Apps\myapp\myapp.cim" -applyACLs -create -filetype CIM -
rootDirectory apps

Here are the optional parameters you can use with the -Unpack parameter:

ﾉ Expand table

Optional Description Example

parameter

-applyACLs Applies ACLs to the resulting msixmgr.exe -Unpack -packagePath

package folder(s) and their parent "C:\MSIX\myapp.msix" -destination
folder. "C:\Apps\myapp" -applyACLs

-create Creates a new image with the msixmgr.exe -Unpack -packagePath

specified file type and unpacks the "C:\MSIX\myapp.msix" -destination
packages to that image. Requires "C:\Apps\myapp" -applyACLs -create -
the -filetype parameter. fileType VHDX

-fileType The type of file to unpack msixmgr.exe -Unpack -packagePath

packages to. Valid file types "C:\MSIX\myapp.msix" -destination
include VHD , VHDX , CIM . This "C:\Apps\myapp" -applyACLs -create -
parameter is required when fileType CIM -rootDirectory apps
 Optional Description Example
parameter

unpacking to CIM files. Requires

the -create parameter.

-rootDirectory Specifies the root directory on msixmgr.exe -Unpack -packagePath

image to unpack packages to. This "C:\MSIX\myapp.msix" -destination
parameter is required when "C:\Apps\myapp" -applyACLs -create -
unpacking to new and existing filetype CIM -rootDirectory apps
CIM files.

- Validates a package's signature file msixmgr.exe -Unpack -packagePath

validateSignature before unpacking package. This "C:\MSIX\myapp.msix" -destination
parameter requires that the "C:\Apps\Myapp" -validateSignature -
package's certificate is installed on applyACLs
the machine.

For more information, see

Certificate Stores.

-vhdSize The desired size of the .vhd or msixmgr.exe -Unpack -packagePath

.vhdx file in MB. Must be between
5 MB and 2040000 MB. Use only
for .vhd or .vhdx files. Requires
the -create and -filetype
parameters.
"C:\MSIX\myapp.msix" -destination
"C:\Apps\myapp" -create -fileType
VHDX -vhdSize 500

-MountImage
Mount a VHD, VHDX, or CIM image. You also need to specify the following required
subparameters:

ﾉ Expand table

Required Description
parameter

-fileType The type of file to unpack packages to. Valid file types include VHD , VHDX ,
CIM .

-imagePath The path to the image file to mount.

-MountImage -imagePath <Path to the MSIX image> -fileType <VHD | VHDX | CIM>
Here's an example of using the -MountImage parameter:

Windows Command Prompt

msixmgr.exe -MountImage -imagePath "C:\MSIX\myapp.cim" -fileType CIM

Here are the optional parameters you can use with the -MountImage parameter:

ﾉ Expand table

Optional Description Example

parameter

-readOnly Boolean (true of false) indicating whether msixmgr.exe -MountImage -

the image should be mounted as read imagePath "C:\MSIX\myapp.cim" -
only. If not specified, the image is mounted filetype CIM -readOnly false
as read-only by default.

-UnmountImage
Unmount a VHD, VHDX, or CIM image. You also need to specify the following required
subparameters:

ﾉ Expand table

Required Description
parameter

-fileType The type of file to unpack packages to. Valid file types include VHD , VHDX ,
CIM .

-imagePath The path to the image file to mount.

-UnmountImage -imagePath <Path to the MSIX image> -fileType <VHD | VHDX |

CIM>

Here's an example of using the -UnmountImage parameter:

Windows Command Prompt

msixmgr.exe -UnmountImage -imagePath "C:\MSIX\myapp.vhdx" -fileType VHDX

Here are the optional parameters you can use with the -UnmountImage parameter:

ﾉ Expand table

Optional Description Example

parameter

-volumeId The GUID of the volume (specified without curly msixmgr.exe -UnmountImage
braces) associated with the image to unmount. This -volumeId 199a2f93-99a8-
parameter is optional only for CIM files. You can 11ee-9b0d-4c445b63adac -
find volume ID by running the PowerShell cmdlet filetype CIM
Get-Volume.

-quietUX
Suppresses user interaction when running the MSIXMGR tool. This parameter is optional
and can be used with any other parameter.

Here's an example of using the -quietUX parameter with the -AddPackage parameter:

Windows Command Prompt

msixmgr.exe -AddPackage "C:\MSIX\myapp.msix" -quietUX

Next steps
To learn more about MSIX app attach, check out these articles:

Create an MSIX image to use with app attach

What's new in the MSIXMGR tool
App attach and MSIX app attach
Add and manage app attach and MSIX app attach applications
Test MSIX packages for app attach
Use Microsoft Teams on Azure Virtual
Desktop
Article • 08/28/2024

Microsoft Teams on Azure Virtual Desktop supports chat and collaboration. With media
optimizations, it also supports calling and meeting functionality by redirecting it to the
local device when using Windows App or the Remote Desktop client on a supported
platform. You can still use Microsoft Teams on Azure Virtual Desktop on other platforms
without optimized calling and meetings. Teams chat and collaboration features are
supported on all platforms.

There are two versions of Teams, Classic Teams and New Teams, and you can use either
with Azure Virtual Desktop. New Teams has with feature parity with Classic Teams, but
improves performance, reliability, and security.

To redirect calling and meeting functionality to the local device, Azure Virtual Desktop
uses an extra component. This component is either SlimCore or the WebRTC Redirector
Service. The option you use depends on the following:

New Teams can use either SlimCore or the WebRTC Redirector Service. SlimCore is
available in preview and you need to opt in to the preview to use it. If you use
SlimCore, you should also install the WebRTC Redirector Service. This allows a user
to fall back to WebRTC, such as if they roam between different devices that don't
support the new optimization architecture. For more information about SlimCore
and how to opt into the preview, see New VDI solution for Teams.

Classic Teams uses the WebRTC Redirector Service.

 Tip

If you're using the classic Teams app with Virtual Desktop Infrastructure (VDI)
environments, such as as Azure Virtual Desktop, end of support is October 1, 2024
and end of availability is July 1, 2025, after which you'll need to use the new
Microsoft Teams app. For more information, see End of availability for classic
Teams app.

Prerequisites
Before you can use Microsoft Teams on Azure Virtual Desktop, you need:
 Prepare your network for Microsoft Teams.

Connect to a session host running Windows 10 or 11 multi-session or Windows 10

or 11 Enterprise. Session hosts running an N or KN SKU of Windows aren't
supported.

For Windows, you also need to install the latest version of the Microsoft Visual
C++ Redistributable on your client device and session hosts. The C++
Redistributable is required to use media optimization for Teams on Azure Virtual
Desktop.

Install the latest version of Windows App or the Remote Desktop client on
Windows or macOS that meets the hardware requirements for Microsoft Teams.

SlimCore is available on Windows with the following apps and versions:

Windows App for Windows, version 1.3.252 or later
Remote Desktop client for Windows, version 1.2.5405.0 or later

If you use FSLogix for profile management and want to use the new Microsoft
Teams app, you need to install FSLogix 2210 hotfix 3 (2.9.8716.30241) or later.

Media optimization for Microsoft Teams is only available for the following clients:

Remote Desktop client for Windows or the Azure Virtual Desktop app, version
1.2.1026.0 or later, including ARM64-based devices.

Remote Desktop client for macOS, version 10.7.7 or later.

Windows App.

For more information about which features Teams on Azure Virtual Desktop supports
and minimum required client versions, see Supported features for Teams on Azure
Virtual Desktop.

Prepare to install the Teams desktop app

This section shows you how to install the Teams desktop app on your Windows 10 or 11
Enterprise multi-session or Windows 10 or 11 Enterprise VM image.

Enable media optimization for Teams

To enable media optimization for Teams, set the following registry key on each session
host:
 1. From the start menu, run Registry Editor as an administrator. Go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Teams . Create the Teams key if it doesn't

already exist.

2. Create the following value for the Teams key:

ﾉ Expand table

Name Type Data/Value

IsWVDEnvironment DWORD 1

Alternatively, you can create the registry entry by running the following commands from
an elevated PowerShell session:

PowerShell

New-Item -Path "HKLM:\SOFTWARE\Microsoft\Teams" -Force

New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Teams" -Name
IsWVDEnvironment -PropertyType DWORD -Value 1 -Force

Install the Remote Desktop WebRTC Redirector Service

You need to install the WebRTC Redirector Service on each session host. You can install
the MSI file using a management tool such Configuration Manager, or manually.

To install the WebRTC Redirector Service manually:

1. Sign in to a session host as a local administrator.

2. Download the Remote Desktop WebRTC Redirector Service installer .

3. Open the file that you downloaded to start the setup process.

4. Follow the prompts. Once it's completed, select Finish.

You can find more information about the latest version of the WebRTC Redirector
Service at What's new in the Remote Desktop WebRTC Redirector Service.

 Tip

If you want to use SlimCore, all of its required components come bundled with new
Teams and Windows App or the Remote Desktop client.
Install Teams on session hosts
You can deploy the Teams desktop app per-machine or per-user. For session hosts in a
pooled host pool, you need to install Teams per-machine. To install Teams on your
session hosts follow the steps in the relevant article:

Install the classic Teams app.

Install the new Teams app.

Verify media optimizations loaded

After installing the WebRTC Redirector Service and the Teams desktop app, follow these
steps to verify that Teams media optimizations loaded:

1. Connect to a remote session.

2. Quit and restart the Teams application.

3. Select your user profile image, then select About.

4. Select Version.

If media optimizations loaded, the banner shows you AVD SlimCore Media
Optimized or AVD Media Optimized. If the banner shows you AVD Media not
connected, quit the Teams app and try again.

5. Select your user profile image, then select Settings.

If media optimizations loaded, the audio devices and cameras available locally will
be enumerated in the device menu. If the menu shows Remote audio, quit the
Teams app and try again. If the devices still don't appear in the menu, check the
Privacy settings on your local PC. Ensure the under Settings > Privacy > App
permissions - Microphone the setting "Allow apps to access your microphone" is
toggled On. Disconnect from the remote session, then reconnect and check the
audio and video devices again. To join calls and meetings with video, you must
also grant permission for apps to access your camera.

If media optimizations don't load, uninstall then reinstall Teams and check again.

Publish Teams as a RemoteApp

New Teams is installed as an MSIX package, which is a format used for applications from
the Microsoft Store. The directory path for an application installed from the Microsoft
Store includes the version number, which changes each time an application is updated.
To publish new Teams as a RemoteApp, follow the steps in Publish Microsoft Store
applications, and for the path enter shell:appsFolder\MSTeams_8wekyb3d8bbwe!MSTeams .

Enable registry keys for optional features

If you want to use certain optional features for Teams on Azure Virtual Desktop, you
need to enable certain registry keys. The following instructions only apply to Windows
client devices and session host VMs.

Enable hardware encode for Teams on Azure Virtual

Desktop
Hardware encode lets you increase video quality for the outgoing camera during Teams
calls. In order to enable this feature, your client needs to be running version 1.2.3213 or
later of the Windows Desktop client. You need to repeat the following instructions for
every client device.

To enable hardware encode:

1. On your client device, from the start menu, run Registry Editor as an administrator.
2. Go to HKCU\SOFTWARE\Microsoft\Terminal Server Client\Default\AddIns\WebRTC
Redirector .

3. Add the UseHardwareEncoding as a DWORD value.

4. Set the value to 1 to enable the feature.
5. Repeat these instructions for every client device.

Enable content sharing for Teams for RemoteApp

Enabling content sharing for Teams on Azure Virtual Desktop lets you share your screen
or application window. To enable this feature, your session host VM needs to be running
version 1.31.2211.15001 or later of the WebRTC Redirector Service and version 1.2.3401
or later of the Windows Desktop client.

To enable content sharing:

1. On your session host VM, from the start menu, run Registry Editor as an
administrator.
2. Go to HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\WebRTC
Redirector\Policy .

3. Add the ShareClientDesktop as a DWORD value.

 4. Set the value to 1 to enable the feature.

Disable desktop screen share for Teams for RemoteApp

You can disable desktop screen sharing for Teams on Azure Virtual Desktop. To enable
this feature, your session host VM needs to be running version 1.31.2211.15001 or later
of the WebRTC service and version 1.2.3401 or later of the Windows Desktop client.

７ Note

You must enable the ShareClientDesktop key before you can use this key.

To disable desktop screen share:

1. On your session host VM, from the start menu, run Registry Editor as an
administrator.
2. Go to HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\WebRTC
Redirector\Policy .

3. Add the DisableRAILScreensharing as a DWORD value.

4. Set the value to 1 to disable desktop screen share.

Disable application window sharing for Teams for

RemoteApp
You can disable application window sharing for Teams on Azure Virtual Desktop. To
enable this feature, your session host VM needs to be running version 1.31.2211.15001
or later of the WebRTC service and version 1.2.3401 or later of the Windows Desktop
client.

７ Note

You must enable the ShareClientDesktop key before you can use this key.

To disable application window sharing:

1. On your session host VM, from the start menu, run Registry Editor as an
administrator.
2. Go to HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\WebRTC
Redirector\Policy .

3. Add the DisableRAILAppSharing as a DWORD value.

 4. Set the value to 1 to disable application window sharing.

Customize Remote Desktop Protocol properties

for a host pool
Customizing a host pool's Remote Desktop Protocol (RDP) properties, such as multi-
monitor experience or enabling microphone and audio redirection, lets you deliver an
optimal experience for your users based on their needs.

Enabling device redirections isn't required when using Teams with media optimization. If
you're using Teams without media optimization, set the following RDP properties to
enable microphone and camera redirection:

audiocapturemode:i:1 enables audio capture from the local device and redirects

audio applications in the remote session.

audiomode:i:0 plays audio on the local computer.

camerastoredirect:s:* redirects all cameras.

To learn more, check out Customize Remote Desktop Protocol properties for a host
pool.

Next steps
See Supported features for Teams on Azure Virtual Desktop for more information about
which features Teams on Azure Virtual Desktop supports and minimum required client
versions.

Learn about known issues, limitations, and how to log issues at Troubleshoot Teams on
Azure Virtual Desktop.

Learn about the latest version of the WebRTC Redirector Service at What's new in the
WebRTC Redirector Service for Azure Virtual Desktop.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Launch Microsoft OneDrive with a
RemoteApp in Azure Virtual Desktop
Article • 11/26/2024

You can Launch Microsoft OneDrive alongside a RemoteApp in Azure Virtual Desktop,
allowing users to access and synchronize their files while using a RemoteApp. When a
user connects to a RemoteApp, OneDrive can automatically launch as a companion to
the RemoteApp.

In the settings for OneDrive, there's the option Start OneDrive when I sign in to
Windows, which ordinarily starts OneDrive when a user signs in. However, this setting
doesn't work with RemoteApp in Azure Virtual Desktop. Instead, you configure OneDrive
to launch by configuring a registry value. You also enable an enhanced shell experience
for RemoteApp sessions, offering support for default file associations, Run/RunOnce
registry keys, and more.

This article describes how to configure OneDrive to automatically launch alongside a

RemoteApp in Azure Virtual Desktop.

User experience
When a user launches a RemoteApp, OneDrive is also launched and the OneDrive icon is
integrated in the taskbar of their local Windows device. If a user launches another
RemoteApp from the same host pool on the same session host, it uses the same
instance of OneDrive and another doesn't start.

If your session hosts are joined to Microsoft Entra ID, you can silently configure user
accounts so users are automatically signed in to OneDrive and start synchronizing
straight away. Otherwise, users need to sign in to OneDrive on first use.

The icon for the instance of OneDrive accompanying the RemoteApp in the system tray
looks the same as if OneDrive is installed on a local device. You can differentiate the
OneDrive icon from the remote session by hovering over the icon where the tooltip
includes the word Remote.

When a user closes or disconnects from the last RemoteApp they're using on the
session host, OneDrive exits within a few minutes, unless the user has the OneDrive
Action Center window open.

Prerequisites
Before you can use OneDrive with a RemoteApp in Azure Virtual Desktop:

Your session hosts must be running Windows 11 Enterprise, version 24H2, or

version 22H2 or 23H2 with the 2024-07 Cumulative Update for Windows 11
(KB5040442) or later installed.

If you're using FSLogix, install the latest version of FSLogix on your session hosts.
For more information, see Install FSLogix applications.

Use Windows App on Windows or the Remote Desktop client on Windows to

connect to a remote session. Other platforms aren't supported.

Configure OneDrive to launch with a

RemoteApp
To configure OneDrive to launch with a RemoteApp in Azure Virtual Desktop, you need
to enable an enhanced shell experience for RemoteApp sessions using Group Policy and
set a registry value to launch OneDrive when a user connects to a RemoteApp. The
Group Policy setting isn't available in Microsoft Intune.

1. Download and install the latest version of the OneDrive sync app per-machine
on your session hosts. For more information, see Install the sync app per-machine.

2. If your session hosts are joined to Microsoft Entra ID, silently configure user
accounts for OneDrive on your session hosts, so users are automatically signed in
to OneDrive.

3. The Group Policy settings are only available in Windows 11, version 22H2 or 23H2
with the 2024-07 Cumulative Update for Windows 11 (KB5040442) or later
installed. You need to copy the administrative template files
C:\Windows\PolicyDefinitions\terminalserver.admx and
C:\Windows\PolicyDefinitions\en-US\terminalserver.adml from a session host to

the same location on your domain controllers or the Group Policy Central Store,
depending on your environment. In the file path for terminalserver.adml replace
en-US with the appropriate language code if you're using a different language.

4. Open the Group Policy Management console on a device you use to manage the
Active Directory domain.

5. Create or edit a policy that targets the computers providing a remote session you
want to configure.
6. Navigate to Computer Configuration > Policies > Administrative Templates >
Windows Components > Remote Desktop Services > Remote Desktop Session
Host > Remote Session Environment.

7. Double-click the policy setting Enable enhanced shell experience for RemoteApp
to open it. Select Enabled, then select OK.

8. Set the following registry value:

Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Type: REG_SZ
Name: OneDrive
Data: "C:\Program Files\Microsoft OneDrive\OneDrive.exe" /background

You can configure the registry using an enterprise deployment tool such as Intune,
Configuration Manager, or Group Policy. Alternatively, to set this registry value
using PowerShell, open PowerShell as an administrator and run the following
command:

PowerShell

New-ItemProperty -Path
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name OneDrive -
PropertyType String -Value '"C:\Program Files\Microsoft
OneDrive\OneDrive.exe" /background' -Force

9. Ensure the side-by-side stack on the session host is version 1.0.2404.16770 or

higher. To check the version, run the following command from Command Prompt
or PowerShell.
 Windows Command Prompt

qwinsta

The output includes a line beginning with rdp-sxs followed by a number, where
the number correlates to the version number of the side-by-side stack, as shown in
the following example. You can find a list of the version numbers at What's new in
the Azure Virtual Desktop SxS Network Stack.

Output

SESSIONNAME USERNAME ID STATE TYPE

DEVICE
services 0 Disc
console 1 Conn
rdp-tcp 65537 Listen
rdp-sxs240705700 65538 Listen

10. Restart the session hosts to apply the changes.

Test OneDrive with a RemoteApp

To test OneDrive with a RemoteApp, follow these steps:

1. Use a supported version of Windows App or the Remote Desktop client to connect
to a RemoteApp from the host pool withe the session hosts you configured.

2. Check that the OneDrive icon can be seen on the task bar of your local Windows
device. Hover over the icon to show the tooltip and ensure it includes the word
Remote, which differentiates it from a local instance of OneDrive.

3. Check that OneDrive is synchronizing files by opening the OneDrive Action Center.
Sign in to OneDrive if you weren't automatically signed in.

4. From the RemoteApp, check that you can access your files from OneDrive.

5. Finally, close the RemoteApp and any others from the same session host, and
within a few minutes OneDrive should exit.

OneDrive recommendations
When using OneDrive with a RemoteApp in Azure Virtual Desktop, we recommend that
you configure the following settings using the OneDrive administrative template. For
more information, see Manage OneDrive using Group Policy and Use administrative
templates in Intune.

Allow syncing OneDrive accounts for only specific organizations.

Use OneDrive files On-Demand.
Silently move Windows known folders to OneDrive.
Silently sign-in users to the OneDrive sync app with their Windows credentials.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Migrate automatically from Azure
Virtual Desktop (classic)
Article • 04/14/2023

The migration module tool lets you migrate your organization from Azure Virtual
Desktop (classic) to Azure Virtual Desktop automatically. This article will show you how
to use the tool.

Requirements
Before you use the migration module, make sure you have the following things ready:

An Azure subscription where you'll create new Azure service objects.

You must be assigned the Contributor role to create Azure objects on your
subscription, and the User Access Administrator role to assign users to application
groups.

At least Remote Desktop Services (RDS) Contributor permissions on an RDS tenant

or the specific host pools you're migrating.

The latest version of the Microsoft.RdInfra.RDPowershell PowerShell module.

The latest version of the Az.DesktopVirtualization PowerShell module.

The latest version of the Az.Resources PowerShell module.

Install the migration module on your computer.

PowerShell or PowerShell ISE to run the scripts you'll see in this article. The
Microsoft.RdInfra.RDPowershell module doesn't work in PowerShell Core.

） Important

Migration only creates service objects in the US geography. If you try to migrate
your service objects to another geography, it won't work. Also, if you have more
than 500 application groups in your Azure Virtual Desktop (classic) deployment,
you won't be able to migrate. You'll only be able to migrate if you rebuild your
environment to reduce the number of application groups within your Azure Active
Directory (Azure AD) tenant.
Prepare your PowerShell environment
First, you'll need to prepare your PowerShell environment for the migration process.

To prepare your PowerShell environment:

1. Before you start, make sure you have the latest version of the Az.Desktop
Virtualization and Az.Resources modules by running the following cmdlets:

PowerShell

Get-Module Az.Resources
Get-Module Az.DesktopVirtualization
https://www.powershellgallery.com/packages/Az.DesktopVirtualization/
https://www.powershellgallery.com/packages/Az.Resources/

If you don't, then you'll have to install and import the modules by running these
cmdlets:

PowerShell

Install-module Az.Resources
Import-module Az.Resources
Install-module Az.DesktopVirtualization
Import-module Az.DesktopVirtualization

2. Next, uninstall the current RDInfra PowerShell module by running this cmdlet:

PowerShell

Uninstall-Module -Name Microsoft.RDInfra.RDPowershell -AllVersions

3. After that, install the RDPowershell module with this cmdlet:

PowerShell

Install-Module -Name Microsoft.RDInfra.RDPowershell -RequiredVersion

1.0.3414.0 -force
Import-module Microsoft.RDInfra.RDPowershell

4. Once you're done installing everything, run this cmdlet to make sure you have the
right versions of the modules:

PowerShell
 Get-Module Microsoft.RDInfra.RDPowershell

5. Now, let's install and import the migration module by running these cmdlets:

PowerShell

Install-Module -Name PackageManagement -Repository PSGallery -Force

Install-Module -Name PowerShellGet -Repository PSGallery -Force
# Then restart shell
Install-Module -Name Microsoft.RdInfra.RDPowershell.Migration -
AllowClobber
Import-Module <Full path to the location of the migration
module>\Microsoft.RdInfra.RDPowershell.Migration.psd1

6. Once you're done, sign into Azure Virtual Desktop (classic) in your PowerShell
window:

PowerShell

Add-RdsAccount -DeploymentUrl https://rdbroker.wvd.microsoft.com

7. Sign in to Azure Resource Manager:

PowerShell

Login-AzAccount

8. If you have multiple subscriptions, select the one you want to migrate your
resources to with this cmdlet:

PowerShell

Select-AzSubscription -Subscriptionid <subID>

9. Register the Resource Provider in Azure portal for the selected subscription.

10. Finally you'll need to register the provider. There are two ways you can do this:

If you want to use PowerShell, then run this cmdlet:

PowerShell

Register-AzResourceProvider -ProviderNamespace
Microsoft.DesktopVirtualization
 If you'd rather use the Azure portal, open and sign in to the Azure portal,
then go to Subscriptions and select the name of the subscription you want to
use. After that, go to Resource Provider > Microsoft.DesktopVirtualization
and select Re-register. You won't see anything change in the UI just yet, but
your PowerShell environment should now be ready to run the module.

Migrate Azure Virtual Desktop (classic)

resources to Azure Resource Manager
Now that your PowerShell environment is ready, you can begin the migration process.

To migrate your Azure virtual Desktop (classic) resources to Azure Resource Manager:

1. Before you migrate, if you want to understand how the existing Classic resources
will get mapped to new Azure Resource Manager resources, run this cmdlet:

PowerShell

Get-RdsHostPoolMigrationMapping

With Get-RdsHostPoolMigrationMapping, you can create a CSV file that maps

where your resources will go. For example, if your tenant's name is "Contoso," and
you want to store your mapping file in the "contosouser" file, you'd run a cmdlet
that looks like this:

PowerShell

Get-RdsHostPoolMigrationMapping -Tenant Contoso -HostPool Office -

Location EastUS -OutputFile 'C:\\Users\contosouser\OneDrive -
Microsoft\Desktop\mapping.csv'

2. Next, run the Start-RdsHostPoolMigration cmdlet to choose whether to migrate a

single host pool or all host pools within a tenant.

For example:

PowerShell

Start-RdsHostPoolMigration -Tenant Contoso -Location WestUS

If you want to migrate your resources a specific host pool, then include the host
pool name. For example, if you want to move the host pool named "Office," run a
command like this:

PowerShell

Start-RdsHostPoolMigration -Tenant Contoso -HostPool Office -

CopyUserAssignments $false -Location EastUS

If you don't give a workspace name, the module will automatically create one for
you based on the tenant name. However, if you'd prefer to use a specific
workspace, you can enter its resource ID like this:

PowerShell

Start-RdsHostPoolMigration -Tenant Contoso -HostPool Office -

CopyUserAssignments -Location EastUS -Workspace <Resource ID of
workspacename>

If you'd like to use a specific workspace but don't know its resource ID, run this
cmdlet:

PowerShell

Get-AzWvdWorkspace -WorkspaceName <workspace> -ResourceGroupName

<resource group> |fl

You'll also need to specify a user assignment mode for the existing user
assignments:

Use Copy to copy all user assignments from your old application groups to
Azure Resource Manager application groups. Users will be able to see feeds
for both versions of their clients.
Use None if you don't want to change the user assignments. Later, you can
assign users or user groups to application groups with the Azure portal,
PowerShell, or API. Users will only be able to see feeds using the Azure Virtual
Desktop (classic) clients.

You can only copy 2,000 user assignments per subscription, so your limit will
depend on how many assignments are already in your subscription. The module
calculates the limit based on how many assignments you already have. If you don't
have enough assignments to copy, you'll get an error message that says
"Insufficient role assignment quota to copy user assignments. Rerun command
without the -CopyUserAssignments switch to migrate."
3. After you run the commands, it will take up to 15 minutes for the module to create
the service objects. If you copied or moved any user assignments, that will add to
the time it takes for the module to finish setting everything up.

After the Start-RdsHostPoolMigration cmdlet is done, you should see the

following things:

Azure service objects for the tenant or host pool you specified.

Two new resource groups:

A resource group called "Tenantname," which contains your workspace.

A resource group called "Tenantname_originalHostPoolName," which

contains the host pool and desktop application groups.

Any users you published to the newly created application groups.

Virtual machines will be available in both existing and new host pools to
avoid user downtime during the migration process. This lets users connect to
the same user session.

Since these new Azure service objects are Azure Resource Manager objects, the
module can't set Role-based Access Control (RBAC) permissions or diagnostic
settings on them. Therefore, you'll need to update the RBAC permissions and
settings for these objects manually.

Once the module validates the initial user connections, you can also publish the
application group to more users or user groups, if you'd like.

７ Note

After migration, if you move application groups to a different resource group

after assigning permissions to users, it will remove all RBAC roles. You'll need
to reassign users RBAC permissions all over again.

4. If you want to delete all Azure Virtual Desktop (classic) service objects, run
Complete-RdsHostPoolMigration to finish the migration process. This cmdlet will
delete all Azure Virtual Desktop (classic) objects, leaving only the new Azure
objects. Users will only be able to see the feed for the newly created application
groups on their clients. Once this command is done, you can safely delete the
Azure Virtual Desktop (classic) tenant to finish the process.

For example:
 PowerShell

Complete-RdsHostPoolMigration -Tenant Contoso -Location EastUS

If you want to complete a specific host pool, you can include the host pool name
in the cmdlet. For example, if you want to complete a host pool named "Office,"
you'd use a command like this:

PowerShell

Complete-RdsHostPoolMigration -Tenant Contoso -HostPool Office -

Location EastUS

This will delete all service objects created by Azure Virtual Desktop (classic). You
will be left with just the new Azure objects and users will only be able to see the
feed for the newly created application groups on their clients. Once you are done
finalizing your migration, you need to explicitly delete the tenant in Azure Virtual
Desktop (classic).

5. If you've changed your mind about migrating and want to revert the process, run
the Revert-RdsHostPoolMigration cmdlet.

For example:

PowerShell

Revert-RdsHostPoolMigration -Tenant Contoso -Location EastUS

If you'd like to revert a specific host pool, you can include the host pool name in
the command. For example, if you want to revert a host pool named "Office," then
you'd enter something like this:

PowerShell

Revert-RdsHostPoolMigration -Tenant Contoso -HostPool Office -Location

EastUS

This cmdlet will delete all newly created Azure service objects. Your users will only
see the feed for Azure Virtual Desktop (classic) objects in their clients.

However, the cmdlet won't delete the workspace the module created or its
associated resource group. You'll need to manually delete those items to get rid of
them.
 6. If you don't want to delete your Azure Virtual Desktop (classic) service objects yet
but do want to test migration, you can run Set-RdsHostPoolHidden.

For example:

PowerShell

Set-RdsHostPoolHidden -Tenant Contoso -Hostpool Office -Hidden $true -

Location WestUS

Setting the status to "true" will hide the Azure Virtual Desktop (classic) resources.
Setting it to "false" will reveal the resources to your users.

The -Hostpool parameter is optional. You can use this parameter if there's a specific
Azure Virtual Desktop (classic) host pool you want to hide.

This cmdlet will hide the Azure Virtual Desktop (classic) user feed and service
objects instead of deleting them. However, this is usually only used for testing and
doesn't count as a completed migration. To complete your migration, you'll need
to run the Complete-RdsHostPoolMigration command. Otherwise, revert your
deployment by running Revert-RdsHostPoolMigration.

Troubleshoot automatic migration

This section explains how to solve commonly encountered issues in the migration
module.

I can't access the tenant

First, try these two things:

Make sure your admin account has the required permissions to access the tenant.
Try running Get-RdsTenant on the tenant.

If those two things work, try running the Set-RdsMigrationContext cmdlet to set the
RDS Context and ADAL Context for your migration:

1. Create the RDS Context by running the Add-RdsAccount cmdlet.

2. Find the RDS Context in the global variable $rdMgmtContext.

3. Find the ADAL Context in the global variable $AdalContext.

4. Run Set-RdsMigrationContext with the variables you found in this format:

 PowerShell

Set-RdsMigrationContext -RdsContext <rdscontext> -AdalContext

<adalcontext>

Next steps
If you'd like to learn how to migrate your deployment manually instead, see Migrate
manually from Azure Virtual Desktop (classic).

Once you've migrated, get to know how Azure Virtual Desktop works by checking out
our tutorials. Learn about advanced management capabilities at Expand an existing host
pool and Customize RDP properties.

To learn more about service objects, check out Azure Virtual Desktop environment.
Migrate manually from Azure Virtual
Desktop (classic)
Article • 04/14/2023

Azure Virtual Desktop (classic) creates its service environment with PowerShell cmdlets,
REST APIs, and service objects. An object in an Azure Virtual Desktop service
environment is a thing that Azure Virtual Desktop creates. Service objects include
tenants, host pools, application groups, and session hosts.

However, Azure Virtual Desktop (classic) isn't integrated with Azure. Without Azure
integration, any objects you create aren't automatically managed by the Azure portal
because they're not connected to your Azure subscription.

The recent major update of Azure Virtual Desktop marks a shift in the service towards
full Azure integration. Objects you create in Azure Virtual Desktop are automatically
managed by the Azure portal.

In this article, we'll explain why you should consider migrating to the latest version of
Azure Virtual Desktop. After that, we'll tell you how to manually migrate from Azure
Virtual Desktop (classic) to the latest update of Azure Virtual Desktop.

Why migrate?
Major updates can be inconvenient, especially ones you have to do manually. However,
there are some reasons why you can't automatically migrate:

Existing service objects made with the classic release don't have any representation
in Azure. Their scope doesn't extend beyond the Azure Virtual Desktop service.
With the latest update, the service's application ID was changed to remove consent
for apps the way it did for Azure Virtual Desktop (classic). You won't be able to
create new Azure objects with Azure Virtual Desktop unless they're authenticated
with the new application ID.

Despite the hassle, migrating away from the classic version is still important. Here's what
you can do after you migrate:

Manage Azure Virtual Desktop through the Azure portal.

Assign Azure Active Directory (Azure AD) user groups to application groups.
Use the improved Log Analytics feature to troubleshoot your deployment.
Use Azure-native role-based access control (Azure RBAC) to manage administrative
access.
When should I migrate?
When asking yourself if you should migrate, you should also take into account your
deployment's current and future situation.

There are a few scenarios in particular where we recommend you manually migrate:

You have a test host pool setup with a small number of users.
You have a production host pool setup with a small number of users, but plan to
eventually ramp up to hundreds of users.
You have a simple setup that can be easily replicated. For example, if your VMs use
a gallery image.

） Important

If you're using an advanced configuration that took a long time to stabilize or has a
lot of users, we don't recommend manually migrating.

Prepare for migration

Before you get started, you'll need to make sure your environment is ready to migrate.

Here's what you need to start the migration process:

An Azure subscription where you’ll create new Azure service objects.

Make sure you're assigned to the following roles:

Contributor
User Access Administrator

The Contributor role lets you create Azure objects on your subscription, and the
User Access Administrator role lets you assign users to application groups.

How to migrate manually

Now that you've prepared for the migration process, it's time to actually migrate.

To migrate manually from Azure Virtual Desktop (classic) to Azure Virtual Desktop:

1. Follow the instructions in Create a host pool with the Azure portal to create all
high-level objects with the Azure portal.
 2. If you want to bring over the virtual machines you're already using, follow the
instructions in Register the virtual machines to the Azure Virtual Desktop host pool
to manually register them to the new host pool you created in step 1.
3. Create new RemoteApp application groups.
4. Publish users or user groups to the new desktop and RemoteApp application
groups.
5. Update your Conditional Access policy to allow the new objects by following the
instructions in Set up multi-factor authentication.

To prevent downtime, you should first register your existing session hosts to the Azure
Resource Manager-integrated host pools in small groups at a time. After that, slowly
bring your users over to the new Azure Resource Manager-integrated application
groups.

Next steps
If you'd like to learn how to migrate your deployment automatically instead, go to
Migrate automatically from Azure Virtual Desktop (classic).

Once you've migrated, get to know how Azure Virtual Desktop works by checking out
our tutorials. Learn about advanced management capabilities at Expand an existing host
pool and Customize RDP properties.

To learn more about service objects, check out Azure Virtual Desktop environment.
Azure Virtual Desktop FAQ
FAQ

This article answers frequently asked questions and explains best practices for Azure
Virtual Desktop.

What are the minimum admin

permissions I need to manage objects?
If you want to create host pools and other objects, you must be assigned the
Contributor role on the subscription or resource group you're working with.

You must be assigned the User Access Admin role on an application group to publish
application groups to users or user groups.

To restrict an admin to only manage user sessions, such as sending messages to users,
signing out users, and so on, you can create custom roles. For example:

JSON

{
"actions": [
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/tags/read",
"Microsoft.Authorization/roleAssignments/read",

"Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/*",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/read",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}

Can I deploy Azure Virtual Desktop

across multiple Microsoft Entra tenants?
Users must be in the same Microsoft Entra tenant as their assigned workspace, host
pool, and app group. Having everything in the same tenant lets you assign users to
proper role-based access control (RBAC) roles so they can access their resources.
However, you can deploy virtual machines (VMs) in a different Microsoft Entra tenant if
they're joined to either the same AD as the user or an AD that has a trust relationship
with the user's AD.

What are location restrictions?

All service resources have a location associated with them. A host pool's location
determines which geography the service metadata for the host pool is stored in. An
application group can't exist without a host pool. If you add apps to a RemoteApp
application group, you also need a session host to determine the start menu apps. For
any application group action, you'll also need a related data access on the host pool. To
make sure data isn't being transferred between multiple locations, the application
group's location should be the same as the host pool's.

Workspaces also must be in the same location as their application groups. Whenever the
workspace updates, the related application group updates along with it. Like with
application groups, the service requires that all workspaces are associated with
application groups created in the same location.

How do you expand an object's

properties in PowerShell?
When you run a PowerShell cmdlet, you only see the resource name and location.

For example:

PowerShell

Get-AzWvdHostPool -Name 0224hp -ResourceGroupName 0224rg

Location Name Type

-------- ---- ----
westus 0224hp Microsoft.DesktopVirtualization/hostpools

To see all of a resource's properties, add either format-list or fl to the end of the
cmdlet.

For example:

PowerShell

Get-AzWvdHostPool -Name 0224hp -ResourceGroupName 0224rg |fl

To see specific properties, add the specific property names after format-list or fl .

For example:

PowerShell

Get-AzWvdHostPool -Name demohp -ResourceGroupName 0414rg |fl

CustomRdpProperty

CustomRdpProperty :
audiocapturemode:i:0;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1
;redirectcomports:i:0;redirectprinters:i:1;redirectsmartcards:i:1;screen
modeid:i:2;

Does Azure Virtual Desktop support

guest users?
Azure Virtual Desktop doesn't support Microsoft Entra guest user accounts. For
example, let's say a group of guest users have Microsoft 365 E3 Per-user, Windows E3
Per-user, or WIN VDA licenses in their own company, but are guest users in a different
company's Microsoft Entra ID. The other company would manage the guest users' user
objects in both Microsoft Entra ID and Active Directory like local accounts.

You can't use your own licenses for the benefit of a third-party. Also, Azure Virtual
Desktop doesn't currently support Microsoft Account (MSA).

Why don't I see the client IP address in

the WVDConnections table?
We don't currently have a reliable way to collect the web client's IP addresses, so we
don't include that value in the table.

How does Azure Virtual Desktop handle

backups?
There are multiple options in Azure Virtual Desktop for handling backup. At the
Compute level, backup is recommended only for Personal Host Pools through Azure
Backup. At the Storage level, recommended backup solution varies based on the
backend storage used to store user profiles. If Azure Files Share is used, Azure Backup
for File Share is recommended. If Azure NetApp Files is used, Snaphots/Policies or Azure
NetApp Files Backup are tools available.

Does Azure Virtual Desktop support

third-party collaboration apps?
Azure Virtual Desktop is currently optimized for Teams. Microsoft currently doesn't
support third-party collaboration apps like Zoom. Third-party organizations are
responsible for giving compatibility guidelines to their customers. Azure Virtual Desktop
also doesn't support Skype for Business.

Can I change from pooled to personal

host pools?
Once you create a host pool, you can't change its type. However, you can move any
VMs you register to a host pool to a different type of host pool.

Is there a scale limit for host pools

created in the Azure portal?
These factors can affect scale limit for host pools:

The Azure template is limited to 800 objects. To learn more, see Azure subscription
and service limits, quotas, and constraints. Each VM also creates about six objects,
so that means you can create around 132 VMs each time you run the template.

There are restrictions on how many vCPUs you can create per region and per
subscription. For example, if you have an Enterprise Agreement subscription, by
default you can create 350 vCPUs. You need to divide 350 by either the default
number of vCPUs per VM or your own vCPU limit to determine how many VMs you
can create each time you run the template. Learn more at Virtual Machines limits -
Azure Resource Manager and Check vCPU quotas.

The VM prefix name can't exceed 11 characters, so that when a sequential number
is added the total name is a maximum of 15 characters. To learn more, see Naming
rules and restrictions for Azure resources.
Can I manage Azure Virtual Desktop
environments with Azure Lighthouse?
Azure Lighthouse doesn't fully support managing Azure Virtual Desktop environments.
Since Lighthouse doesn't currently support cross-Microsoft Entra ID tenant user
management, Lighthouse customers still need to sign in to the Microsoft Entra ID that
customers use to manage users.

You also can't use CSP sandbox subscriptions with the Azure Virtual Desktop service. To
learn more, see Integration sandbox account.

Finally, if you enabled the resource provider from the CSP owner account, the CSP
customer accounts aren't able to modify the resource provider.

How often should I turn my VMs on to

prevent registration issues?
After you register a VM to a host pool within the Azure Virtual Desktop service, the
agent regularly refreshes the VM's token whenever the VM is active. The certificate for
the registration token is valid for 90 days. Because of this 90-day limit, we recommend
VMs to be online for 20 minutes every 90 days so that the machine can refresh its
tokens and update the agent and side-by-side stack components. Turning on your VM
within this time limit prevents its registration token from expiring or becoming invalid. If
you started your VM after 90 days and are experiencing registration issues, follow the
instructions in the Azure Virtual Desktop agent troubleshooting guide to remove the VM
from the host pool, reinstall the agent, and reregister it to the pool.

Can I set availability options when

creating host pools?
Yes. Azure Virtual Desktop host pools have an option for selecting either availability set
or availability zones when you create a VM. These availability options are the same as
the ones Azure Compute uses. If you select a zone for the VM you create in a host pool,
the setting automatically applies to all VMs you create in that zone. If you'd prefer to
spread your host pool VMs across multiple zones, you need to follow the directions in
Add virtual machines with the Azure portal to manually select a new zone for each new
VM you create.
Make sure that your Azure availability zones are available in the region where your VMs
are located.

Which availability option is best for me?

The availability option you should use for your VMs depends on your image's location.
The following table explains the relationship each setting has with these variables to
help you figure out which option is best for your deployment.

ﾉ Expand table

Availability option Image location

None Gallery

None Blob storage

Availability zone Gallery (blob storage option disabled)

Availability set with managed SKU (managed disk) Gallery

Availability set with managed SKU (managed disk) Blob storage

Availability set with managed SKU (managed disk) Blob storage (Gallery option disabled)

Availability set (newly created by user) Gallery

Availability set (newly created by user) Blob storage

Should I use Windows Defender

Application Control or AppLocker to
control which applications and drivers
are allowed to run on my Windows 10
devices?
We recommend you use Windows Defender Application Control instead of AppLocker.

When I'm testing migration, can I have

the two different Azure Virtual Desktop
environments exist in the same tenant?
Yes. You can have both deployments within the same Microsoft Entra tenant.

Are ephemeral OS disks for Azure VMs

supported with Azure Virtual Desktop?
No. Ephemeral OS disks for Azure VMs aren't supported with Azure Virtual Desktop.

If I store my host pools and VMs in

different regions, what would happen in
a disaster scenario where the host pool
region goes down but the VM region
stays online?
Metadata of a host pool is replicated within a geography for resiliency. If the region
your host pool is in goes down, it fails over to its replica. During this failover period,
Azure Virtual Desktop doesn't accept new user connections to the session host VMs in
that host pool until the failover is complete. Any existing sessions on the session host
VMs in that host pool remain connected and unaffected. To learn more about how
service resilience is implemented for Azure Virtual Desktop, see Azure Virtual Desktop
service architecture and resilience.

What happens when you try to add

more than 200 VMs to an availability set
in Azure Virtual Desktop?
If you try to go over 200 VMs in an availability set in Azure Virtual Desktop, you receive
an error message that says "Can't create VM because the limit of 200 VMs has already
been reached." For more information, see the Availability sets overview.

Can I do an in-place upgrade of a

session host's operating system?
Session hosts in a pooled host pool aren't supported for in-place upgrade. Session hosts
in a personal host pool are supported for in-place upgrade. For more information, see
In-place upgrade for supported VMs running Windows in Azure and In-place upgrade
for VMs running Windows Server in Azure.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Set custom Remote Desktop Protocol
(RDP) properties on a host pool in Azure
Virtual Desktop
Article • 08/22/2024

When users sign in to Windows App or the Remote Desktop app, desktops and
applications that they have access to are shown. For each desktop and application, there
is a corresponding .rdp file that contains all the connection properties to use when
connecting to a remote session over the Remote Desktop Protocol (RDP). These RDP
properties are set per host pool.

Each host pool has a set of default RDP properties and values. You can add other
properties to the default set or override the default values by setting custom RDP
properties. This article shows you how to set custom RDP properties on a host pool by
using the Azure portal, Azure PowerShell, and Azure CLI.

Default host pool RDP properties

Host pools have the following RDP properties and values by default:

ﾉ Expand table

RDP Property Details

audiomode:i:0 Determines whether the local or remote machine plays audio.

devicestoredirect:s:* Determines which peripherals that use the Media Transfer Protocol
(MTP) or Picture Transfer Protocol (PTP), such as a digital camera, are
redirected from a local Windows device to a remote session.

drivestoredirect:s:* Determines which fixed, removable, and network drives on the local
device will be redirected and available in a remote session.

enablecredsspsupport:i:1 Determines whether the client will use the Credential Security
Support Provider (CredSSP) for authentication if it's available.

redirectclipboard:i:1 Determines whether to redirect the clipboard.

redirectcomports:i:1 Determines whether serial or COM ports on the local device are
redirected to a remote session.

redirectprinters:i:1 Determines whether printers available on the local device are

redirected to a remote session.
 RDP Property Details

redirectsmartcards:i:1 Determines whether smart card devices on the local device will be
redirected and available in a remote session.

redirectwebauthn:i:1 Determines whether WebAuthn requests from a remote session are

redirected to the local device allowing the use of local authenticators
(such as Windows Hello for Business and security keys).

usbdevicestoredirect:s:* Determines which supported USB devices on the client computer are
redirected using opaque low-level redirection to a remote session.

use multimon:i:1 Determines whether the remote session will use one or multiple
displays from the local device.

videoplaybackmode:i:1 Determines whether the connection will use RDP-efficient

multimedia streaming for video playback.

For a full list of supported properties and values, see Supported RDP properties with
Azure Virtual Desktop

 Tip

To learn more about redirecting peripherals and resources, see Peripheral and
resource redirection over the Remote Desktop Protocol. You might need to
configure more than just an RDP property.

Prerequisites
Before you can set custom RDP properties on a host pool, you need:

An existing host pool.

An Azure account assigned the Desktop Virtualization Host Pool Contributor role
or equivalent.

If you want to use Azure CLI or Azure PowerShell locally, see Use Azure CLI and
Azure PowerShell with Azure Virtual Desktop to make sure you have the
desktopvirtualization Azure CLI extension or the Az.DesktopVirtualization
PowerShell module installed. Alternatively, use the Azure Cloud Shell.

Configure custom RDP properties

Select the relevant tab for your scenario.
 Azure portal

Here's how to configure RDP properties using the Azure portal. For a full list of
supported properties and values, see Supported RDP properties with Azure Virtual
Desktop.

1. Sign in to the Azure portal .

2. In the search bar, enter Azure Virtual Desktop and select the matching service
entry.

3. Select Host pools, then select the name of the host pool you want to update.

4. Select RDP Properties, then select the Advanced tab.

5. Add extra RDP properties or make changes to the existing RDP properties in a
semicolon-separated format, like the default values already shown.

6. When you're done, select Save to save your changes. Users need to refresh
their resources to receive the changes.

Related content
Supported RDP properties with Azure Virtual Desktop
Peripheral and resource redirection over the Remote Desktop Protocol

Feedback
Was this page helpful?  Yes  No
Provide product feedback | Get help at Microsoft Q&A
Configure host pool load balancing in
Azure Virtual Desktop
Article • 08/22/2024

Azure Virtual Desktop supports two load balancing algorithms for pooled host pools.
Each algorithm determines which session host is used when a user starts a remote
session. Load balancing doesn't apply to personal host pools because users always have
a 1:1 mapping to a session host within the host pool.

The following load balancing algorithms are available for pooled host pools:

Breadth-first, which aims to evenly distribute new user sessions across the session
hosts in a host pool. You don't have to specify a maximum session limit for the
number of sessions.

Depth-first, which keeps starting new user sessions on one session host until the
maximum session limit is reached. Once the session limit is reached, any new user
connections are directed to the next session host in the host pool until it reaches
its session limit, and so on.

You can only configure one of the load balancing algorithms at a time per pooled host
pool, but you can change which one is used at any time. Both load balancing algorithms
share the following behaviors:

If a user already has an active or disconnected session in the host pool and signs in
again, the load balancer will successfully redirect them to the session host with
their existing session. This behavior applies even if drain mode has been enabled
for that session host.

If a user doesn't already have a session on a session host in the host pool, the load
balancer doesn't consider a session host where drain mode has been enabled.

If you lower the maximum session limit on a session host while it has active user
sessions, the change doesn't affect existing user sessions.

Breadth-first load balancing algorithm

The breadth-first load balancing algorithm aims to distribute user sessions across
session hosts to optimize for session performance. Breadth-first is ideal for
organizations that want to provide the best experience for users connecting to their
remote resources as session host resources, such as CPU, memory, and disk, are
generally less contended.

The breadth-first algorithm first queries session hosts in a host pool that allow new
connections. The algorithm then selects a session host randomly from half the set of
available session hosts with the fewest sessions. For example, if there are nine session
hosts with 11, 12, 13, 14, 15, 16, 17, 18, and 19 sessions, a new session doesn't
automatically go to the session host with the fewest sessions. Instead, it can go to any of
the first five session hosts with the fewest sessions at random. Due to the
randomization, some sessions may not be evenly distributed across all session hosts.

Depth-first load balancing algorithm

The depth-first load balancing algorithm aims to saturate one session host at a time.
This algorithm is ideal for cost-conscious organizations that want more granular control
on the number of session hosts available in a host pool, enabling you to more easily
scale down the number of session hosts powered on when there are fewer users.

The depth-first algorithm first queries session hosts that allow new connections and
haven't reached their maximum session limit. The algorithm then selects the session
host with most sessions. If there's a tie, the algorithm selects the first session host from
the query.

You must set a maximum session limit when using the depth-first algorithm. You can use
Azure Virtual Desktop Insights to monitor the number of sessions on each session host
and review session host performance to help determine the best maximum session limit
for your environment.

） Important

Once all session hosts have reached the maximum session limit, you need to
increase the limit or add more session hosts to the host pool.

Prerequisites
To configure load balancing for a pooled host pool, you need:

An existing pooled host pool.

An Azure account assigned the Desktop Virtualization Host Pool Contributor role.
 If you want to use Azure CLI or Azure PowerShell locally, see Use Azure CLI and
Azure PowerShell with Azure Virtual Desktop to make sure you have the
desktopvirtualization Azure CLI extension or the Az.DesktopVirtualization
PowerShell module installed. Alternatively, use the Azure Cloud Shell.

Configure load balancing

Select the relevant tab for your scenario.

Azure portal

Here's how to configure load balancing with the Azure portal:

1. Sign in to the Azure portal .

2. In the search bar, enter Azure Virtual Desktop and select the matching service
entry

3. Select Host pools, then select the name of the host pool you want to
configure.

4. Select Properties.

5. For Load balancing algorithm, select which type you want to use for this host
pool from the drop-down menu, then for Max session limit, enter a value.

6. Select Save to apply the new load balancing settings.

７ Note

The depth-first load balancing algorithm distributes sessions to session hosts up to

the maximum session limit. If you use breadth-first when first creating a host pool,
the default value for the maximum session limit is set to 999999 , which is also the
highest possible number you can set this parameter to. For the best possible user
experience when using depth-first load balancing, make sure to change the
maximum session limit parameter to a number that best suits your requirements.

Related content
 Understand how autoscale can automatically scale the number of available session
hosts in a host pool.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Configure personal desktop assignment
Article • 08/22/2024

） Important

This content applies to Azure Virtual Desktop with Azure Resource Manager Azure
Virtual Desktop objects. If you're using Azure Virtual Desktop (classic) without
Azure Resource Manager objects, see this article.

A personal host pool is a type of host pool that has personal desktops. Personal
desktops have one-to-one mapping, which means a single user can only be assigned to
a single personal desktop. Every time the user signs in, their user session is directed to
their assigned personal desktop session host. This host pool type is ideal for customers
with resource-intensive workloads because user experience and session performance
will improve if there's only one session on the session host. Another benefit of this host
pool type is that user activities, files, and settings persist on the virtual machine
operating system (VM OS) disk after the user signs out.

Users must be assigned to a personal desktop to start their session. You can configure
the assignment type of your personal desktop host pool to adjust your Azure Virtual
Desktop environment to better suit your needs. In this topic, we'll show you how to
configure automatic or direct assignment for your users.

７ Note

The instructions in this article only apply to personal desktop host pools, not
pooled host pools, since users in pooled host pools aren't assigned to specific
session hosts.

Prerequisites
If you're using either the Azure portal or PowerShell method, you'll need the following
things:

A personal host pool with at least one session host.

An Azure account assigned the Desktop Virtualization Contributor role.
If you want to use Azure CLI or Azure PowerShell locally, see Use Azure CLI and
Azure PowerShell with Azure Virtual Desktop to make sure you have the
 desktopvirtualization Azure CLI extension or the Az.DesktopVirtualization
PowerShell module installed. Alternatively, use the Azure Cloud Shell.

If you're assigning desktops with PowerShell, you'll need to download and install the
Azure Virtual Desktop PowerShell module if you haven't already.

Configure automatic assignment

Automatic assignment assigns users a personal desktop the first time they connect. It's
the default assignment type for new personal desktop host pools you create in your
Azure Virtual Desktop environment. Automatically assigning users doesn't require a
specific session host.

To automatically assign users, first assign them to the personal desktop host pool so
that they can see the desktop in their feed. When an assigned user launches the desktop
in their feed, their user session will be load-balanced to an available session host if they
haven't already connected to the host pool. You can still assign a user directly to a
session host before they connect, even if the assignment type is set automatic.

Azure portal

To configure automatic assignment in the Azure portal:

1. Sign in to the Azure portal .

2. In the search bar, enter Azure Virtual Desktop and select the matching service
entry.

3. Select Host pools, then select the personal host pool you want to configure
automatic assignment.

4. Next, select Properties, then go to the Assignment drop-down menu and

select Automatic.

5. Select Save.

Configure direct assignment

Unlike automatic assignment, when you use direct assignment, you assign a specific
personal desktop to a user first. You must assign the user to both the personal desktop
host pool and a specific session host before they can connect to their personal desktop.
If the user is only assigned to a host pool without a session host assignment, they won't
be able to access resources and will see an error message that says No resources
available.

Azure portal

To configure direct assignment in the Azure portal:

1. Sign in to the Azure portal .

2. In the search bar, type Azure Virtual Desktop and select the matching service
entry.

3. Select Host pools, then select the personal host pool you want to configure
automatic assignment.

4. Next, select Properties, then go to the Assignment drop-down menu and

select Direct.

5. Select Save.

Directly assign users to session hosts

Here's how to directly assign users to session hosts using the Azure portal or Azure
PowerShell. You can't assign users to session hosts using Azure CLI.

Azure portal

To directly assign a user to a session host in the Azure portal:

1. Sign in to the Azure portal .

2. Enter Azure Virtual Desktop into the search bar.

3. Under Services, select Azure Virtual Desktop.

4. At the Azure Virtual Desktop page, go the menu on the left side of the
window and select Host pools.

5. Select the host pool you want to assign users to.

6. Next, go to the menu on the left side of the window and select Application
groups.
 7. Select the name of the app group you want to assign users to, then select
Assignments in the menu on the left side of the window.

8. Select + Add, then select the users or user groups you want to assign to this
app group.

9. Select Assign VM in the Information bar to assign a session host to a user.

10. Select the session host you want to assign to the user, then select Assign. You
can also select Assignment > Assign user.

11. Select the user you want to assign the session host to from the list of available
users.

12. When you're done, select Select.

Unassign a personal desktop

Here's how to unassign a personal desktop using the Azure portal or Azure PowerShell.
You can't unassign a personal desktop using Azure CLI.

Azure portal

To unassign a personal desktop in the Azure portal:

1. Sign in to the Azure portal .

2. Enter Azure Virtual Desktop into the search bar.

3. Under Services, select Azure Virtual Desktop.

4. At the Azure Virtual Desktop page, go the menu on the left side of the
window and select Host pools.

5. Select the host pool you want to modify user assignment for.

6. Next, go to the menu on the left side of the window and select Session hosts.

7. Select the checkbox next to the session host you want to unassign a user
from, select the ellipses at the end of the row, and then select Unassign user.
You can also select Assignment > Unassign user.
 8. Select Unassign when prompted with the warning.

Reassign a personal desktop

Here's how to reassign a personal desktop using the Azure portal or Azure PowerShell.
You can't reassign a personal desktop using Azure CLI.

Azure portal

To reassign a personal desktop in the Azure portal:

1. Sign in to the Azure portal .

2. Enter Azure Virtual Desktop into the search bar.

3. Under Services, select Azure Virtual Desktop.

4. At the Azure Virtual Desktop page, go the menu on the left side of the
window and select Host pools.

5. Select the host pool you want to modify user assignment for.

6. Next, go to the menu on the left side of the window and select Session hosts.

7. Select the checkbox next to the session host you want to reassign to a
different user, select the ellipses at the end of the row, and then select Assign
 to a different user. You can also select Assignment > Assign to a different
user.

8. Select the user you want to assign the session host to from the list of available
users.

9. When you're done, select Select.

Give session hosts in a personal host pool a

friendly name
You can give personal desktops you create friendly names to help users distinguish them
in their feeds using PowerShell. The Azure portal or Azure CLI doesn't currently have a
way to give session host friendly names.

1. Launch the Azure Cloud Shell in the Azure portal with the PowerShell terminal type,
or run PowerShell on your local device.

If you're using Cloud Shell, make sure your Azure context is set to the
subscription you want to use.

If you're using PowerShell locally, first Sign in with Azure PowerShell, then
make sure your Azure context is set to the subscription you want to use.

2. Run the following command in PowerShell to add or change a session host's

friendly name:

Azure PowerShell
 $parameters = @{
HostPoolName = 'HostPoolName'
Name = 'SessionHostName'
ResourceGroupName = 'ResourceGroupName'
FriendlyName = 'SessionHostFriendlyName'
}

Update-AzWvdSessionHost @parameters

3. To get the session host friendly name, run the following command in PowerShell:

Azure PowerShell

$sessionHostParams = @{
HostPoolName = 'HostPoolName'
Name = 'SessionHostName'
ResourceGroupName = 'ResourceGroupName'
}

Get-AzWvdSessionHost @sessionHostParams | FL Name, AssignedUser,

FriendlyName

Next steps
Now that you've configured the personal desktop assignment type and given your
session host a friendly name, you can sign in to an Azure Virtual Desktop client to test it
as part of a user session. These articles will show you how to connect to a session using
the client of your choice:

Connect with the Windows Desktop client

Connect with the web client
Connect with the Android client
Connect with the iOS client
Connect with the macOS client

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Configure a host pool as a validation
environment
Article • 03/03/2023

） Important

This content applies to Azure Virtual Desktop with Azure Resource Manager Azure
Virtual Desktop objects. If you're using Azure Virtual Desktop (classic) without
Azure Resource Manager objects, see this article.

Host pools are a collection of one or more identical virtual machines within Azure Virtual
Desktop environment. We highly recommend you create a validation host pool where
service updates are applied first. Validation host pools let you monitor service updates
before the service applies them to your standard or non-validation environment.
Without a validation host pool, you may not discover changes that introduce errors,
which could result in downtime for users in your standard environment.

To ensure your apps work with the latest updates, the validation host pool should be as
similar to host pools in your non-validation environment as possible. Users should
connect as frequently to the validation host pool as they do to the standard host pool. If
you have automated testing on your host pool, you should include automated testing
on the validation host pool.

You can debug issues in the validation host pool with either the diagnostics feature or
the Azure Virtual Desktop troubleshooting articles.

７ Note

We recommend that you leave the validation host pool in place to test all future
updates. Validation host pools should only be used for testing, and not in
production environments.

Create your host pool

You can configure any existing pooled or personal host pool to be a validation host
pool. You can also create a new host pool to use for validation by following the
instructions in any of these articles:
 Tutorial: Create a host pool with Azure Marketplace or the Azure CLI
Create a host pool with PowerShell or the Azure CLI

Define your host pool as a validation

environment
Portal

To use the Azure portal to configure your validation host pool:

1. Sign in to the Azure portal .

2. Search for and select Azure Virtual Desktop.
3. In the Azure Virtual Desktop page, select Host pools.
4. Select the name of the host pool you want to edit.
5. Select Properties.
6. In the validation environment field, select Yes to enable the validation
environment.
7. Select Save to apply the new settings.

Update schedule
Service updates happen monthly. If there are major issues, critical updates will be
provided at a more frequent pace.

If there are any service updates, make sure you have at least a couple of users sign in
each day to validate the environment. We recommend you regularly visit our
TechCommunity site and follow any posts with WVDUPdate or AVDUpdate to stay
informed about service updates.

Next steps
Now that you've created a validation host pool, you can learn how to use Azure Service
Health to monitor your Azure Virtual Desktop deployment.

Set up service alerts

Scheduled Agent Updates for Azure
Virtual Desktop host pools
Article • 08/11/2022

The Scheduled Agent Updates feature lets you create up to two maintenance windows
for the Azure Virtual Desktop agent, side-by-side stack, and Geneva Monitoring agent to
get updated so that updates don't happen during peak business hours. To monitor
agent updates, you can use Log Analytics to see when agent component updates are
available and when updates are unsuccessful.

This article describes how the Scheduled Agent Updates feature works and how to set it
up.

７ Note

Azure Virtual Desktop (classic) doesn't support the Scheduled Agent Updates
feature.

Configure the Scheduled Agent Updates

feature using the Azure portal
To use the Azure portal to configure Scheduled Agent Updates:

1. Open your browser and go to the Azure portal .

2. In the Azure portal, go to Azure Virtual Desktop.

3. Select Host pools, then go to the host pool where you want to enable the feature.
You can only configure this feature for existing host pools. You can't enable this
feature when you create a new host pool.

4. In the host pool, select Scheduled Agent Updates. Scheduled Agent Updates is
disabled by default. This means that, unless you enable this setting, the agent can
get updated at any time by the agent update flighting service. Select the
Scheduled agent updates checkbox to enable the feature.
5. Enter your preferred time zone setting. If you select Use local session host time
zone, Scheduled Agent Updates will automatically use the VM's local time zone. If
you don't select Use local session host time zone, you'll need to specify a time
zone.

6. Select a day and time for the Maintenance window. If you'd like to make an
optional second maintenance window, you can also select a date and time for it
here. Since Scheduled Agent Updates is a host pool setting, the time zone setting
and maintenance windows you configure will be applied to all session hosts in the
host pool.

7. Select Apply to apply your settings.

Additional information

How the feature works

The Scheduled Agent Updates feature updates the Azure Virtual Desktop agent, side-
by-side stack, and Geneva Monitoring agent if any one or more of these components
needs to be updated. Any reference to the agent components is referring to these three
components. Scheduled Agent Updates doesn't apply to the initial installation of the
agent components. When you install the agent on a virtual machine (VM), the agent will
automatically install the side-by-side stack and the Geneva Monitoring agent regardless
of which maintenance windows you set. Any non-critical updates after installation will
only happen within your maintenance windows. Host pools with the Scheduled Agent
Updates feature enabled will receive the agent update after the agent has been fully
flighted to production. For more information about how agent flighting works, see
Agent update process. The agent component update won't succeed if the session host
VM is shut down or deallocated during the scheduled update time. If you enable
Scheduled Agent Updates, make sure all session hosts in your host pool are on during
your configured maintenance window time. The broker will attempt to update the agent
components during each specified maintenance window up to four times. After the
fourth try, the broker will install the update by force. This process gives time for
installation retries if an update is unsuccessful, and also prevents session hosts from
having outdated versions of agent components. If a critical agent component update is
available, the broker will install the agent component by force for security purposes.

Maintenance window and time zone information

You must specify at least one maintenance window. Configuring the second
maintenance window is optional. Creating two maintenance windows gives the
agent components additional opportunities to update if the first update during
one of the windows is unsuccessful.

All maintenance windows are two hours long to account for situations where all
three agent components must be updated at the same time. For example, if your
maintenance window is Saturday at 9:00 AM PST, the updates will happen between
9:00 AM PST and 11:00 AM PST.

The Use session host local time parameter isn't selected by default. If you want
the agent component update to be in the same time zone for all session hosts in
your host pool, you'll need to specify a single time zone for your maintenance
windows. Having a single time zone helps when all your session hosts or users are
located in the same time zone.
 If you select Use session host local time, the agent component update will be in
the local time zone of each session host in the host pool. Use this setting when all
session hosts in your host pool or their assigned users are in different time zones.
For example, let's say you have one host pool with session hosts in West US in the
Pacific Standard Time zone and session hosts in East US in the Eastern Standard
Time zone, and you've set the maintenance window to be Saturday at 9:00 PM.
Enabling Use session host local time ensures that updates to all session hosts in
the host pool will happen at 9:00 PM in their respective time zones. Disabling Use
session host local time and setting the time zone to be Central Standard Time
ensures that updates to the session hosts in the host pool will happen at 9:00 PM
Central Standard Time, regardless of the session hosts' local time zones.

The local time zone for VMs you create using the Azure portal is set to
Coordinated Universal Time (UTC) by default. If you want to change the VM time
zone, run the Set-TimeZone PowerShell cmdlet on the VM.

To get a list of available time zones for a VM, run the Get-TimeZone PowerShell
cmdlet on the VM.

Next steps
For more information related to Scheduled Agent Updates and agent components,
check out the following resources:

Learn how to set up diagnostics for this feature at the Scheduled Agent Updates
Diagnostics guide.
Learn more about the Azure Virtual Desktop agent, side-by-side stack, and Geneva
Monitoring agent at Getting Started with the Azure Virtual Desktop Agent.
For more information about the current and earlier versions of the Azure Virtual
Desktop agent, see Azure Virtual Desktop agent updates.
If you're experiencing agent or connectivity-related issues, see the Azure Virtual
Desktop Agent issues troubleshooting guide.
Customize the feed for Azure Virtual
Desktop users
Article • 08/22/2024

You can customize the feed so the RemoteApp and remote desktop resources appear in
a recognizable way for your users.

Prerequisites
If you're using either the Azure portal or PowerShell method, you'll need the following
things:

An Azure account assigned the Desktop Virtualization Application Group

Contributor role.

If you want to use Azure PowerShell locally, see Use Azure CLI and Azure
PowerShell with Azure Virtual Desktop to make sure you have the
Az.DesktopVirtualization PowerShell module installed. Alternatively, use the Azure
Cloud Shell.

Customize the display name for a desktop or

application
Select the relevant tab for your scenario.

Azure portal

Here's how to customize the display name for a published RemoteApp or desktop
using the Azure portal.

1. Sign in to the Azure portal .

2. Search for Azure Virtual Desktop.

3. Under Services, select Azure Virtual Desktop.

4. On the Azure Virtual Desktop page, select Application groups on the left side
of the screen, then select the name of the application group you want to edit.

5. Select Applications in the menu on the left side of the screen.

 6. Select the application you want to update, then enter a new Display name.

7. Select Save. The application you edited should now display the updated name.
Users see the new name once their client refreshes.

Set a friendly name for an individual session

host in a personal host pool
For session hosts in a personal host pool, you can change the display name for a
desktop for each individual session host by setting its friendly name using PowerShell.
By default, the session host friendly name is empty, so all users only see the same
desktop display name. There isn't currently a way to set the session host friendly name
in the Azure portal.

1. Launch the Azure Cloud Shell in the Azure portal with the PowerShell terminal type,
or run PowerShell on your local device.

If you're using Cloud Shell, make sure your Azure context is set to the
subscription you want to use.

If you're using PowerShell locally, first Sign in with Azure PowerShell, then
make sure your Azure context is set to the subscription you want to use.

2. Run the following command in PowerShell to add or change a session host's

friendly name:

Azure PowerShell

$parameters = @{
HostPoolName = 'HostPoolName'
Name = 'SessionHostName'
ResourceGroupName = 'ResourceGroupName'
FriendlyName = 'SessionHostFriendlyName'
}

Update-AzWvdSessionHost @parameters

3. To get the session host friendly name, run the following command in PowerShell:

Azure PowerShell

$sessionHostParams = @{
HostPoolName = 'HostPoolName'
Name = 'SessionHostName'
 ResourceGroupName = 'ResourceGroupName'
}

Get-AzWvdSessionHost @sessionHostParams | FL Name, AssignedUser,

FriendlyName

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Delete a host pool
Article • 04/14/2023

All host pools created in Azure Virtual Desktop are attached to session hosts and
application groups. To delete a host pool, you need to delete its associated application
groups and session hosts. Deleting an application group is fairly simple, but deleting a
session host is more complicated. When you delete a session host, you need to make
sure it doesn't have any active user sessions. All user sessions on the session host should
be logged off to prevent users from losing data.

Portal

To delete a host pool in the Azure portal:

1. Sign in to the Azure portal .

2. Search for and select Azure Virtual Desktop.

3. Select Host pools in the menu on the left side of the page, then select the
name of the host pool you want to delete.

4. On the menu on the left side of the page, select Application groups.

5. Select all application groups in the host pool you're going to delete, then
select Remove.

6. Once you've removed the application groups, go to the menu on the left side
of the page and select Overview.

7. Select Remove.

8. If there are session hosts in the host pool you're deleting, you'll see a message
asking for your permission to continue. Select Yes.

9. The Azure portal will now remove all session hosts and delete the host pool.
The VMs related to the session host won't be deleted and will remain in your
subscription.

Next steps
To learn how to create a host pool, check out these articles:
 Create a host pool with the Azure portal
Create a host pool with PowerShell

To learn how to configure host pool settings, check out these articles:

Customize Remote Desktop Protocol properties for a host pool

Configure the Azure Virtual Desktop load-balancing method
Configure the personal desktop host pool assignment type
Manage session hosts with Microsoft
Intune
Article • 10/12/2023

We recommend using Microsoft Intune to manage your Azure Virtual Desktop

environment. Microsoft Intune is a unified management platform that includes Microsoft
Configuration Manager and Microsoft Intune.

Microsoft Configuration Manager

Microsoft Configuration Manager versions 1906 and later can manage your domain-
joined and Microsoft Entra hybrid joined session hosts. For more information, see
Supported OS versions for clients and devices for Configuration Manager.

Microsoft Intune
Microsoft Intune can manage your Microsoft Entra joined and Microsoft Entra hybrid
joined session hosts. To learn more about using Intune to manage Windows 11 and
Windows 10 single session hosts, see Using Azure Virtual Desktop with Intune.

For Windows 11 and Windows 10 multi-session hosts, Intune supports both device-
based configurations and user-based configurations on Windows 11 and Windows 10.
User-scope configuration on Windows 10 requires the update March 2023 Cumulative
Update Preview (KB5023773) and OS version 19042.2788, 19044.2788, 19045.2788 or
later. To learn more about using Intune to manage multi-session hosts, see Using Azure
Virtual Desktop multi-session with Intune.

７ Note

Managing Azure Virtual Desktop session hosts using Intune is currently supported
in the Azure Public and Azure Government clouds.

Licensing
Microsoft Intune licenses are included with most Microsoft 365 subscriptions.

Learn more about licensing requirements at the following resources:

Frequently asked questions for Configuration Manager branches and licensing
Microsoft Intune licensing
Using Azure Virtual Desktop with Intune
Article • 04/29/2024

Azure Virtual Desktop is a desktop and app virtualization service that runs on Microsoft
Azure. It lets end users connect securely to a full desktop from any device. With
Microsoft Intune, you can secure and manage your Azure Virtual Desktop VMs with
policy and apps at scale, after they're enrolled.

Prerequisites
Currently, for single-session, Intune supports Azure Virtual Desktop VMs that are:

Running Windows 10 Enterprise, version 1809 or later, or running Windows 11.

Set up as personal remote desktops in Azure.
Microsoft Entra hybrid joined and enrolled in Intune in one of the following
methods:
Configure Active Directory group policy to automatically enroll devices that are
Microsoft Entra hybrid joined.
Configuration Manager co-management.
User self-enrollment via Microsoft Entra join.
Microsoft Entra joined and enrolled in Intune by enabling Enroll the VM with
Intune in the Azure portal.
Under the same tenant as Intune

For more information on Azure Virtual Desktop licensing requirements, see What is
Azure Virtual Desktop?.

For information about working with multi-session remote desktops, see Windows 10 or
Windows 11 Enterprise multi-session remote desktops.

Intune treats Azure Virtual Desktop personal VMs the same as Windows 10 or Windows
11 Enterprise physical desktops. This treatment lets you use some of your existing
configurations and secure the VMs with compliance policy and conditional access.
Intune management doesn't depend on or interfere with Azure Virtual Desktop
management of the same virtual machine.

Limitations
There are some limitations to keep in mind when managing Windows 10 Enterprise
remote desktops:
Configuration
All VM limitations listed in Using Windows 10 virtual machines also apply to Azure
Virtual Desktop VMs.

Also, the following profiles aren't currently supported:

Domain Join
Wi-Fi

Make sure that the RemoteDesktopServices/AllowUsersToConnectRemotely policy isn't

disabled.

７ Note

Configuration and compliance policies for Secure Boot and features leveraging
vTPM (Virtual Trusted Platform Module) are not supported at this time for Azure
Virtual Desktop VMs.

Cloning physical and virtual devices

Intune does not support using a cloned image of a computer that is already enrolled.
This includes both physical and virtual devices such as Azure Virtual Desktop (AVD).
When device enrollment or identity tokens are replicated between devices, Intune
device enrollment or synchronization failures will occur.

For more information, see Mobile device enrollment - Windows Client

Management and Certificate authentication device enrollment - Windows Client
Management.
For information on disabling token roaming in AVD, see Using Azure Virtual
Desktop multi-session with Microsoft Intune.
For information on troubleshooting issues related to image cloning, see Error hr
0x8007064c: The machine is already enrolled.

Remote actions
The following Windows 10 desktop device remote actions aren't
supported/recommended for Azure Virtual Desktop VMs:

Autopilot reset
BitLocker key rotation
Fresh Start
 Remote lock
Reset password
Wipe

Retirement
Deleting VMs from Azure leaves orphaned device records in Intune. They'll be
automatically cleaned up according to the cleanup rules configured for the tenant.

Known issues
The following table provides a set of known issues along with more information about
each issue.

ﾉ Expand table

Issue More information

Can't auto-enroll if tenant has more than This issue will be fixed in the future.
one MDM provider

Modern apps, such as Universal Using FSLogix and Modern apps could cause
Windows Platform (UWP) apps, aren't compatibility issues. We recommend that you don't
working correctly if FSLogix is configured configure Modern apps when FSLogix is configured.

Next steps
Learn more about Azure Virtual Desktops.
Use Azure Virtual Desktop multi-session with Intune

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Windows 10 or Windows 11 Enterprise
multi-session remote desktops
Article • 04/23/2024

Azure Virtual Desktop multi-session with Microsoft Intune is now generally available.

You can now use Microsoft Intune to manage Windows 10 or Windows 11 Enterprise
multi-session remote desktops in the Microsoft Intune admin center just as you can
manage a shared Windows 10 or Windows 11 client device. When managing such virtual
machines (VMs), you'll be able to use both device-based configuration targeted to
devices or user-based configuration targeted to users.

Windows 10 or Windows 11 Enterprise multi-session is a new Remote Desktop Session

Host exclusive to Azure Virtual Desktop on Azure. It provides the following benefits:

Allows multiple concurrent user sessions.

Gives users a familiar Windows 10 or Windows 11 experience.
Supports use of existing per-user Microsoft 365 licensing.

You can manage Windows 10 and Windows 11 Enterprise multi-session VMs created in
Azure Government Cloud in US Government Community (GCC), GCC High, and DoD.

） Important

Microsoft Intune support for Azure Virtual Desktop multi-session is not currently
available for Citrix DaaS and VMware Horizon Cloud. Because Intune cannot offer
support for Citrix DaaS, review the Citrix documentation, and be aware of Citrix
support options for multi-session support. All questions, concerns or help should
be directed to Citrix for multi-session support. See Citrix support .

Overview
Device configuration support in Microsoft Intune for Windows 10 or Windows 11
Enterprise multi-session is generally available (GA). This means policies defined in the
OS scope and apps configured to install in the system context can be applied to Azure
Virtual Desktop multi-session VMs when assigned to device groups.

７ Note
 Device-based configuration cannot be assigned to users and user-based
configuration cannot be assigned to devices. It will be reported as Error or Not
applicable.

User configuration support in Microsoft Intune for Windows 10 or Windows 11 multi-

session VMs is generally available. With this you are able to:

Configure user scope policies using Settings catalog and assign to groups of
users. You can use the search bar to search all configurations with scope set to
"user".

Configure user certificates and assign to users.

Configure PowerShell scripts to install in the user context and assign to users.

Prerequisites
This feature supports Windows 10 or Windows 11 Enterprise multi-session VMs, which
are:

Running Windows 10 multi-session, version 1903 or later, or running Windows 11

multi-session.
Set up as remote desktops in pooled host pools that have been deployed through
Azure Resource Manager.
Under the same tenant as Intune.
Running an Azure Virtual Desktop agent version of 1.0.2944.1400 or later.
Microsoft Entra hybrid joined and enrolled in Microsoft Intune using one of the
following methods:
Configured with Active Directory group policy, set to use Device credentials, and
set to automatically enroll devices that are Microsoft Entra hybrid joined.
Configuration Manager co-management.
Microsoft Entra joined and enrolled in Microsoft Intune by enabling Enroll the VM
with Intune in the Azure portal.
Licensing: The appropriate Azure Virtual Desktop and Microsoft Intune license is
required if a user or device benefits directly or indirectly from the Microsoft Intune
service, including access to the Microsoft Intune service through a Microsoft API.
For more information, go to Microsoft Intune licensing.
See What is Azure Virtual Desktop? for more information about Azure Virtual
Desktop licensing requirements.

Limitations
Intune does not support using a cloned image of a computer that is already enrolled.
This includes both physical and virtual devices such as Azure Virtual Desktop (AVD).
When device enrollment or identity tokens are replicated between devices, Intune
device enrollment or synchronization failures will occur.

For more information, see Mobile device enrollment - Windows Client

Management and Certificate authentication device enrollment - Windows Client
Management.
For information on troubleshooting issues related to image cloning, see Error hr
0x8007064c: The machine is already enrolled.

７ Note

If you're joining session hosts to Microsoft Entra Domain Services, you can't
manage them using Intune.

） Important

If you're using Windows 10, versions 2004, 20H2, or 21H1 builds, make sure
that you install the July 2021 Windows Update or a later Windows update.
Otherwise, remote actions in the Microsoft Intune admin center, like remote
sync, won't work correctly. As a result, pending policies assigned to devices
might take up to 8 hours to be applied.
Intune does not currently support token roaming functionality between
devices. If FSLogix, or a similar technology, is used to manage Windows user
profiles and settings, you must ensure that tokens are not unexpectedly
roamed or duplicated across devices. To confirm that you are running a
supported version and configuration of FSLogix with token roaming disabled,
please see the FSLogix RoamIdentity Configuration Settings Reference.

Windows 10 or Windows 11 Enterprise multi-session VMs are treated as a separate OS

edition and some Windows 10 or Windows 11 Enterprise configurations won't be
supported for this edition. Using Microsoft Intune doesn't depend on or interfere with
Azure Virtual Desktop management of the same VM.

Create the configuration profile

To configure configuration policies for Windows 10 or Windows 11 Enterprise multi-
session VMs, you'll need to use the Settings catalog in the Microsoft Intune admin
center.

The existing device configuration profile templates aren't supported for Windows 10 or
Windows 11 Enterprise multi-session VMs, except for the following templates:

Trusted certificate - Device (machine) when targeting devices and User when
targeting users
SCEP certificate - Device (machine) when targeting devices and User when
targeting users
PKCS certificate - Device (machine) when targeting devices and User when
targeting users
VPN - Device Tunnel only

Microsoft Intune won't deliver unsupported templates to multi-session devices, and

those policies appear as Not applicable in reports.

７ Note

If you use co-management for Intune and Configuration Manager, in Configuration

Manager, set the workload slider for Resource Access Policies to Intune or Pilot
Intune. This setting allows Windows 10 and Windows 11 clients to start the process
of requesting the certificate.

To configure policies
1. Sign in to the Microsoft Intune admin center and choose Devices > By platform
> Windows > Manage devices > Configuration > Create > New Policy.
2. For Platform, select Windows 10 and later.
3. For Profile type, select Settings catalog, or when deploy settings by using a
Template, select Templates and then the name of the supported Template.
4. Select Create.
5. On the Basics page, provide a Name and (optionally) Description > Next.
6. On the Configuration settings page, select Add settings.
7. Under Settings picker, select Add filter and select the following options:

Key: OS edition
Operator: ==
Value: Enterprise multi-session
 Select Apply. The filtered list now shows all configuration profile categories
that support Windows 10 or Windows 11 Enterprise multi-session. The scope
for a policy is shown in parentheses. For user scope it shows as (User) and all
the rest are policies with device scope.
8. From the filtered list, pick the categories that you want.

For each category you pick, select the settings that you want to apply to your
new configuration profile.
For each setting, select the value that you want for this configuration profile.

9. Select Next when you're done adding settings.

10. On the Assignments page, choose the Microsoft Entra groups containing the
devices to which you want this profile assigned > Next.
11. On the Scope tags page, optionally add the scope tags you want to apply to this
profile > Next. For more information about scope tags, see Use role-based access
control and scope tags for distributed IT.
12. On the Review + create page, choose Create to create the profile.

Administrative templates
Windows 10 or Windows 11 Administrative Templates are supported for Windows 10 or
Windows 11 Enterprise multi-session via the Settings catalog with some limitations:

ADMX-backed policies are supported. Some policies aren't yet available in the
Settings catalog.
ADMX-ingested policies are supported, including Office and Microsoft Edge
settings available in Office administrative template files and Microsoft Edge
administrative template files. For a complete list of ADMX-ingested policy
categories, see Win32 and Desktop Bridge app policy configuration. Some ADMX
ingested settings won't be applicable to Windows 10 or Windows 11 Enterprise
multi-session.

To list supported Administrative Templates, you'll need to use the filter in Settings
catalog.

Compliance and Conditional access

You can secure your Windows 10 or Windows 11 Enterprise multi-session VMs by
configuring compliance policies and Conditional Access policies in the Microsoft Intune
admin center. The following compliance policies are supported on Windows 10 or
Windows 11 Enterprise multi-session VMs:
 Minimum OS version
Maximum OS version
Valid operating system builds
Simple passwords
Password type
Minimum password length
Password Complexity
Password expiration (days)
Number of previous passwords to prevent reuse
Microsoft Defender Antimalware
Microsoft Defender Antimalware security intelligence up-to-date
Firewall
Antivirus
Antispyware
Real-time protection
Microsoft Defender Antimalware minimum version
Defender ATP Risk score

All other policies report as Not applicable.

） Important

You'll need to create a new compliance policy and target it to the device group
containing your multi-session VMs. User-targeted compliance configurations aren't
supported.

Conditional Access policies support both user and device based configurations for
Windows 10 or Windows 11 Enterprise multi-session.

７ Note

Conditional Access for Exchange on-premises isn't supported for Windows 10 or

Windows 11 Enterprise multi-session VMs.

７ Note

Configuration and compliance policies for BitLocker, Secure Boot, and features
leveraging vTPM (Virtual Trusted Platform Module) are not supported at this time
for Azure Virtual Desktop VMs.
Endpoint security
You can configure profiles under Endpoint security for multi-session VMs by selecting
Platform Windows 10, Windows 11, and Windows Server. If that Platform is not
available, the profile is not supported on multi-session VMs.

For more information, see Manage device security with endpoint security policies in
Microsoft Intune

Application deployment
All Windows 10 or Windows 11 apps can be deployed to Windows 10 or Windows 11
Enterprise multi-session with the following restrictions:

All apps must be configured to install in the system/device context and be

targeted to devices. Web apps are always applied in the user context by default so
they won't apply to multi-session VMs.
All apps must be configured with Required or Uninstall app assignment intent. The
Available apps deployment intent isn't supported on multi-session VMs.
If a Win32 app configured to install in the system context has dependencies or
supersedence relationship on any apps configured to install in the user context,
the app won't be installed. To apply to a Windows 10 or Windows 11 Enterprise
multi-session VM, create a separate instance of the system context app or make
sure all app dependencies are configured to install in the system context.
Azure Virtual Desktop RemoteApp and MSIX app attach aren't currently supported
in Microsoft Intune.

Script deployment
Scripts configured to run in the system context and assigned to devices are supported
on Windows 10 or Windows 11 Enterprise multi-session. This can be configured under
Script settings by setting Run this script using the logged on credentials to No.

Scripts configured to run in the user context and assigned to users are supported on
Windows 10 and Windows 11 Enterprise multi-session. This can be configured under
Script settings by setting Run this script using the logged on credentials to Yes.

Windows Update for Business

You can use the settings catalog to manage Windows Update settings for quality
(security) updates for Windows 10 or Windows 11 Enterprise multi-session VMs. To find
the supported settings in the catalog, configure a settings filter for Enterprise multi-
session and then expand the Windows Update for Business category.

The following settings are available in the catalog, with the links opening the Windows
CSP documentation:

Active Hours End

Active Hours Max Range
Active Hours Start
Block "Pause Updates" ability
Configure Deadline Grace Period
Defer Quality Updates Period (Days)
Pause Quality Updates Start Time
Quality Update Deadline Period (Days)

Remote actions
The following Windows 10 or Windows 11 desktop device remote actions aren't
supported and will be grayed out in the UI and disabled in Graph for Windows 10 or
Windows 11 Enterprise multi-session VMs:

Autopilot reset
BitLocker key rotation
Fresh Start
Remote lock
Reset password
Wipe

Retirement
Deleting VMs from Azure will leave orphaned device records in the Microsoft Intune
admin center. They'll be automatically cleaned up according to the cleanup rules
configured for the tenant.

Security baselines
Security baselines aren't available for Windows 10 or Windows 11 Enterprise multi-
session at this time. We recommend that you review the Available security baselines and
configure the recommended policies and values in the Settings catalog.
Additional configurations that aren't supported
on Windows 10 or Windows 11 Enterprise multi-
session VMs
Out of Box Experience (OOBE) enrollment isn't supported for Window 10 or Windows 11
Enterprise multi-session. This restriction means that:

Windows Autopilot and Commercial OOBE aren't supported.

Enrollment status page isn't supported.

Windows 10 or Windows 11 Enterprise multi-session managed by Microsoft Intune isn't

currently supported for China Sovereign Cloud.

Troubleshooting
The following sections provide troubleshooting guidance for common issues.

Enrollment issues

ﾉ Expand table

Issue Detail

Enrollment of Microsoft Auto-enrollment is configured to use user credentials.

Entra hybrid joined virtual
machine fails
Windows 10 or Windows 11 Enterprise multi-session virtual
machines must be enrolled using device credentials.
The Azure Virtual Desktop agent you're using must be version
1.0.2944.1400 or later.
You've more than one MDM provider, which isn't supported.
Windows 10 or Windows 11 Enterprise multi-session VM is
configured outside of a host pool. Microsoft Intune only
supports VMs provisioned as part of a host pool.
The Azure Virtual Desktop host pool wasn't created through
the Azure Resource Manager template.

Enrollment of Microsoft The Azure Virtual Desktop agent you're using isn't updated.
Entra joined virtual The agent must be version 1.0.2944.1400 or above.
machine fails Azure Virtual Desktop host pool wasn't created through the
Azure Resource Manager template.

Configuration issues

Issue
Settings catalog policy fails
Configuration policy didn't apply
Configuration policy reports as Not
applicable
Microsoft Edge/Microsoft Office ADMX
policy doesn't show up when I apply
the filter for Windows 10 or Windows
11 Enterprise multi-session edition
App configured to install in system
context didn't apply
Update rings for Windows 10 and later
policy didn't apply
Next steps
Learn more about Azure Virtual Desktops.
Feedback
Was this page helpful?  Yes
Provide product feedback
ﾉ Expand table
Detail
Confirm the VM is enrolled using device credentials.
Enrollment with user credentials isn't currently
supported for Windows 10 or Windows 11 Enterprise
multi-session.
Templates (except for Certificates) aren't supported on
Windows 10 or Windows 11 Enterprise multi-session.
All policies must be created via the settings catalog.
Some policies aren't applicable to Azure Virtual
Desktop VMs.
Applicability for these settings isn't based on the
Windows version or edition but on whether those apps
have been installed on the device. To add these
settings to your policy, you may have to remove any
filters applied in the settings picker.
Confirm the app doesn't have a dependency or
supersedence relationship on any apps configured to
install in user context. User context apps aren't
currently supported on Windows 10 or Windows 11
Enterprise multi-session.
Windows update rings policies aren't currently
supported. Quality updates can be managed via
settings available in the settings catalog.
 No
Use Microsoft Configuration Manager
to automatically deploy software
updates to Azure Virtual Desktop
session hosts
Article • 03/03/2023

Azure Virtual Desktop session hosts running Windows 10 Enterprise multi-session and
Windows 11 Enterprise multi-session can be grouped together in Microsoft
Configuration Manager to automatically apply updates. A collection is created based on
a query which you can then use as the target collection for a servicing plan.

You can update Windows 10 Enterprise multi-session and Windows 11 Enterprise multi-
session with the corresponding Windows client updates. For example, you can update
Windows 10 Enterprise multi-session, version 21H2 by installing the client updates for
Windows 10, version 21H2.

Prerequisites
To create this query-based collection, you'll need to do the following:

Make sure you've installed the Microsoft Configuration Manager Agent on your
session host virtual machines (VMs) and they're assigned to a site in Configuration
Manager.
Make sure your version of Microsoft Configuration Manager is at least on branch
level 1910 for Windows 10, or 2107 for Windows 11.

Create a query-based collection

You can use a query statement based on the specific operating system SKU to identify
which of your devices managed by Configuration Manager are running Windows 10
Enterprise multi-session and Windows 11 Enterprise multi-session operating systems.

 Tip

The operating system SKU for Windows 10 Enterprise multi-session and Windows
11 Enterprise multi-session is 175. You can use PowerShell to find the operating
system SKU by running the following command:
 PowerShell

Get-WmiObject -Class Win32_OperatingSystem | FT

Caption,OperatingSystemSKU

To create the collection:

1. In the Configuration Manager console, select Assets and Compliance.

2. Go to Overview > Device Collections and right-click Device collections and select
Create Device Collection from the drop-down menu.

3. In the General tab of the menu that opens, enter a name that describes your
collection in the Name field. In the Comment field, you can give additional
information describing what the collection is. In Limiting Collection, define which
machines you're including in the collection query.

4. In the Membership Rules tab, add a rule for your query by selecting Add Rule,
then selecting Query Rule.

5. In Query Rule Properties, enter a name for your rule, then define the parameters
of the rule by selecting Edit Query Statement.

6. Select Show Query Statement.

7. In the statement, enter the following string:

WQL

select
SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS
_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SM
S_R_SYSTEM.Client
from SMS_R_System inner join SMS_G_System_OPERATING_SYSTEM on
SMS_G_System_OPERATING_SYSTEM.ResourceId = SMS_R_System.ResourceId
where
SMS_G_System_OPERATING_SYSTEM.OperatingSystemSKU = 175

8. Select OK to create the collection.

9. To check if you successfully created the collection, go to Assets and Compliance >
Overview > Device Collections.

Deploy software updates

You can use an automatic deployment rule (ADR) in Microsoft Configuration Manager to
automatically approve and deploy software updates. You specify the collection you
created above as the target collection for deployment to deploy these updates to your
session host VMs.

For more information about deploying software updates with Microsoft Configuration
Manager, see Deploy software updates. For the steps to create an ADR, see
Automatically deploy software updates.
Drain session hosts for maintenance in
Azure Virtual Desktop
Article • 08/22/2024

Drain mode enables you to isolate a session host when you want to perform
maintenance without disruption to service. When a session host is set to drain, it won't
accept new user sessions. Any new connections will be redirected to the next available
session host. Existing connections to the session host will remain active until the user
signs out or an administrator ends the session. Once there aren't any sessions remaining
on the session host, you can perform the maintenance you need. Administrators can still
remotely connect to the server directly without going through the Azure Virtual Desktop
service.

This article shows you how to drain session hosts using the Azure portal or Azure
PowerShell.

Prerequisites
To drain session hosts, you need:

A host pool with at least one session host.

An Azure account assigned the Desktop Virtualization Session Host Operator role.

If you want to use Azure PowerShell locally, see Use Azure CLI and Azure
PowerShell with Azure Virtual Desktop to make sure you have the
Az.DesktopVirtualization PowerShell module installed. Alternatively, use the Azure
Cloud Shell.

Enable and disable drain mode for a session

host
Here's how to enable and disable drain mode for a session host using the Azure portal
and PowerShell.

Azure portal

To enable drain mode for a session host and block new sessions in the Azure portal:

1. Sign in to the Azure portal .

 2. In the search bar, type Azure Virtual Desktop and select the matching service
entry.

3. From the Azure Virtual Desktop overview page, select Host pools.

4. Select the host pool that contains the session host you want to drain, then
select Session hosts.

5. Check the box next to the session host you want to enable drain mode, then
select Turn drain mode on.

6. When you're ready to allow new connections to the session host, check the
box next to the session host you want to disable drain mode, then select Turn
drain mode off.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Session host update for Azure Virtual
Desktop (preview)
Article • 10/22/2024

） Important

Session host update for Azure Virtual Desktop is currently in PREVIEW. See the
Supplemental Terms of Use for Microsoft Azure Previews for legal terms that
apply to Azure features that are in beta, preview, or otherwise not yet released into
general availability.

Session host update enables you to update the underlying virtual machine (VM) disk
type, operating system (OS) image, and other configuration properties of all session
hosts in a host pool with a session host configuration. Session host update deallocates
or deletes the existing virtual machines and creates new ones that are added to your
host pool with the updated configuration. This method of updating session hosts aligns
with the recommendation of managing updates within the core source image, rather
than distributing and installing updates to each session host individually on an ongoing
repeated schedule to keep them up to date.

Here are the changes you can make when performing an update:

Virtual machine image

Virtual machine size
Virtual machine disk type
Virtual machine security type:
Standard
Trusted launch virtual machines
Confidential virtual machines
Active Directory domain join credentials
Microsoft Intune enrollment
Local administrator credentials
Run a custom configuration PowerShell script

After you complete an update of your session hosts using session host update, all
session hosts in a host pool are standardized with the changes you specified. Other
Azure properties of the session hosts, such as the availability configuration, network
configuration, and location, are persisted across updates.
Update process
You can specify the number of session hosts in a host pool to update concurrently,
known as a batch. This value is the maximum number of session hosts that are
unavailable at a time during the update and all remaining session hosts are available to
use. When an update starts, only one session host is targeted (known as the initial) to
test that the end-to-end update process is successful before moving on to updating the
rest of the session hosts in the pool in batches. This approach minimizes the impact if a
failure occurs.

Here's an example: if you have a host pool with 10 session hosts and you enter a batch
size of three, a single session host (the initial) is updated, then the remaining session
hosts are updated in three batches of three session hosts. At any point after the initial
session host completes its update, there are a minimum of seven session hosts available
for use in the host pool.

During an update, session host update follows this process:

1. Existing session hosts are selected based upon their name, and the size of the
batch previously specified. A notification specified by the admin is sent out to any
connected users, then the service waits the duration also specified earlier before
signing out any remaining users.

2. The selected session hosts are placed into drain mode, then removed from the
host pool. The computer account for session hosts joined to an Active Directory
domain isn't deleted.

3. The same number of new session hosts are created using the updated session host
configuration. The new Azure resources for the VM, OS disk, and network interface
are in the format SessionHostName-DateTime , for example, an existing VM called
VM1-0 is replaced with a new VM called VM1-0-2023-04-15T17-16-07 . The hostname

of the operating system isn't changed. These new session hosts are joined to your
directory using Azure VM extensions.

Session hosts joined to an Active Directory domain inherit the existing AD

computer objects. This process establishes the trust relationship and breaks the
existing trust relationship with the previous VMs.

4. The new session hosts are joined to the existing host pool and drain mode is
disabled, and the session hosts can accept connections.

5. The original VMs are either deallocated or deleted, depending upon whether you
chose to save the original VMs.
There can only be one session host update operation running or scheduled in a single
host pool at a time. However, you can have session host update operations running on
multiple host pools at the same time.

The existing power state and drain mode of session hosts is honored. You can perform
an update on a host pool where all the session hosts are deallocated to save costs.

） Important

If you use Azure Virtual Desktop Insights, the Azure Monitor agent or Log
Analytics agent isn't automatically installed on the updated session hosts. To
install the agent automatically, here are some options:
For the Azure Monitor agent, you can use Azure Policy.
For the Log Analytics agent, you can use Azure Automation.

Keep in mind quota limits on your Azure subscription and consider

submitting a request to increase a quota if an update would go over the
limit.

We recommend that you test the update process on a test host pool aligned
to the host pool you want to update. This will test the update process itself
and also the result of a new VM with the same name as the previous VM
within your environment. It's also important to test that any updates, such as
new applications or hotfixes, work as expected within your environment
before updating a production host pool.

Virtual machines and management tools

The new image must be supported for Azure Virtual Desktop and the generation of
virtual machine, and can be from:

Azure Marketplace.

An existing Azure Compute Gallery shared image.

An existing managed image.

As session host update creates new virtual machines, it needs to join them to a
directory. You must use the same directory as the existing VMs. You can't change the
directory during an update.
Any customizations, such as files, registry keys, or certificates that were added manually
to session hosts, aren't present after the update is complete. You can't update session
hosts in the pool individually, so you should either add these customizations into the
image itself, ensure the customizations are applied by configuration management tools
such as Intune or Group Policy, or add these customizations to the custom configuration
PowerShell script in the session host configuration.

During an update with session hosts joined to Active Directory, computer objects aren't
deleted. This means that there are temporarily orphaned computer objects within Active
Directory. When the new virtual machine is joined to the domain, it uses the original
host name and inherits the orphaned computer object. If you change the domain, you
need to remove the orphaned computer objects from the previous domain.

Group Policy objects (GPOs) are used to apply policy to session hosts and are typically
applied at the OU level in the Active Directory domain. However, there might be some
application/filtering done using computer objects or group objects. As the new VMs
inherit the orphaned computer objects, existing GPOs still apply. You should ensure that
existing GPOs still apply if you change the OU membership as part of the update
process.

Scheduling and user sessions

If there are users signed in to a session host when it starts to update, they receive the
notification specified by an administrator, which should inform users to sign out, then
sign in again. Users can immediately sign in again to be connected to another session
host in the host pool.

New connections are directed to session hosts that are updated to avoid them signing
in to a session host that will be updated imminently, only for them to be notified to sign
out again. However, at the beginning of an update there aren't any newly updated
session hosts, so users who were asked to sign out and recently signed in to session
hosts yet to be updated are notified to sign out again.

With only a reduced number of session hosts available, you should schedule an update
at an appropriate time for your business to minimize disruption to end users.

Known issues and limitations

Here are known issues and limitations:

Session host update is only available in the global Azure cloud. It isn't available in
other clouds, such as Azure US Government or Azure operated by 21Vianet.
For session hosts that were created from an Azure Compute Gallery shared image
that has a purchase plan, the plan isn't retained when the session hosts are
updated. To check whether the image you use for your session hosts has a
purchase plan, you can use Azure PowerShell or Azure CLI.

Session host update currently requires access to the public Azure Storage endpoint
wvdhpustgr0prod.blob.core.windows.net to deploy the RDAgent. Until this is

migrated to a required endpoint for Azure Virtual Desktop, session hosts that can't
access wvdhpustgr0prod.blob.core.windows.net fail to be updated with the error
CustomerVmNoAccessToDeploymentPackageException .

The size of the OS disk can't be changed during an update. The update service
defaults to the same size as defined by the gallery image.

If an update fails, the host pool can't be deleted until the update is canceled.

The update progress only changes when a session host has updated. As an
example, in a host pool with 10 session hosts, while the first session host is being
updated the progress shows as 0.00%. This only moves to 10% once the first
session host has updated.

If you decide to create an image that is taken from an existing session host that
you then use as the source image for your session host update, you need to delete
the C:\packages\plugin folder before creating the image. Otherwise this folder
prevents the DSC extension that joins the updated virtual machines to the host
pool from running.

If you use Azure Virtual Desktop Insights, the Azure Monitor agent or Log Analytics
agent isn't automatically installed on the updated session hosts. To install the
agent automatically, here are some options:
For the Azure Monitor agent, you can use Azure Policy.
For the Log Analytics agent, you can use Azure Automation.
Manually add these new session hosts from within Azure Virtual Desktop
Insights in the Azure portal.

Modifying a session host configuration in a host pool with no session hosts at the
same time a session host is being created can result in a host pool with
inconsistent session host properties and should be avoided.

Updates with large batch sizes can result in intermittent failures with the error code
AgentRegistrationFailureGeneric . If this occurs for a subset of session hosts being

updated, retrying the update typically resolves the issue.

Next steps
Learn how to update session hosts in a host pool with a session host configuration
using session host update.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Update session hosts using session host
update in Azure Virtual Desktop
(preview)
Article • 10/22/2024

） Important

Session host update for Azure Virtual Desktop is currently in PREVIEW. See the
Supplemental Terms of Use for Microsoft Azure Previews for legal terms that
apply to Azure features that are in beta, preview, or otherwise not yet released into
general availability.

When you want to update session hosts in a host pool with a session host configuration,
you use session host update. Session host update enables you to update the underlying
virtual machine (VM) image, size, disk type, and other configuration properties. During
an update, the existing virtual machines are deleted or deallocated, and new ones are
created with the updated configuration stored in the session host configuration. The
update also uses the values from the session host management policy to determine how
session hosts should get updated.

This article shows you how to update a host pool's session host configuration, update
the session hosts in that pool, and how to monitor the progress of an update using the
Azure portal and Azure PowerShell.

To learn more about how session host update works, see Session host update.

Prerequisites
Before you update session hosts using session host update, you need:

An existing pooled host pool with a session host configuration with session hosts
that are all in the same Azure region and resource group. Personal host pools
aren't supported.

The new image must be supported for Azure Virtual Desktop and match the
generation of virtual machine. If you're using Trusted launch virtual machines or
Confidential virtual machines, your image must be for generation 2 VMs. It can be
from:
Azure Marketplace.
 An existing Azure Compute Gallery shared image. We recommend having at
least two replicas of the image you use.
An existing managed image.

Remove any resource locks on session hosts or the resource group they're in.

Assign the Azure Virtual Desktop service principal the Desktop Virtualization
Virtual Machine Contributor role-based access control (RBAC) role on the
resource group or subscription with the host pools and session hosts you want to
use with session host update. For more information, see Assign Azure RBAC roles
or Microsoft Entra roles to the Azure Virtual Desktop service principals.

An Azure account you use to configure session host update with the following
Azure RBAC roles to update the following resource types. You can also use another
built-in role that includes the same permissions, or create a custom role.

ﾉ Expand table

Resource Built-in Azure RBAC role Scope

type

Host pool Desktop Virtualization Host Pool Contributor Resource group or

Desktop Virtualization Application Group subscription
Contributor

Session hosts Virtual Machine Contributor Resource group or

subscription

You can only join session hosts to an Active Directory domain. Joining session
hosts to Microsoft Entra ID isn't supported, but you can use Microsoft Entra hybrid
join.

If you're joining session hosts to a Microsoft Entra Domain Services domain, you
need to be a member of the AAD DC Administrators group.

If you're joining session hosts to an Active Directory Domain Services (AD DS)
domain, you need to use an account with more permissions than typically
required for joining a domain because the new OS image reuses the existing
computer object. The permissions and properties in the following table need to
be applied to the account on the Organizational Unit (OU) containing your
session hosts:

ﾉ Expand table
 Name Type Applies to

Reset password Allow Decendent Computer objects

Validated write to DNS host name Allow Decendent Computer objects

Validated write to service principal name Allow Decendent Computer objects

Read account restrictions Allow Decendent Computer objects

Write account restrictions Allow Decendent Computer objects

Beginning with KB5020276 , further protections were introduced for the reuse
of computer accounts in an Active Directory domain. To successfully reuse the
existing computer object for the session host, either:
The user account joining the session host to the domain is the creator of the
existing computer account.
The computer account was created by a member of the domain
administrators security group.
Apply the Group Policy setting Domain controller: Allow computer account
re-use during domain join to the owner of the computer account. For more

information on the scope of this setting, see KB5020276 .

A key vault containing the secrets you want to use for your virtual machine local
administrator account credentials and, if you're joining session hosts to an Active
Directory domain, your domain join account credentials. You need one secret for
each username and password. The virtual machine local administrator password
must meet the password requirements when creating a VM.

You need to provide the Azure Virtual Desktop service principal the ability to
read the secrets. Your key vault can be configured to use either:

The Azure RBAC permission model with the role Key Vault Secrets User
assigned to the Azure Virtual Desktop service principal.

An access policy with the Get secret permission assigned to the Azure Virtual
Desktop service principal.

The key vault must allow Azure Resource Manager for template deployment.

See Assign Azure RBAC roles or Microsoft Entra roles to the Azure Virtual Desktop
service principals to make sure you're using the correct service principal.

For any custom configuration PowerShell scripts you specify in the session host
configuration to run after an update, the URL to the script must be resolvable from
 the public internet.

If you want to use Azure PowerShell locally, see Use Azure CLI and Azure
PowerShell with Azure Virtual Desktop to make sure you have the
Az.DesktopVirtualization PowerShell module installed. Alternatively, use the Azure
Cloud Shell.

Azure PowerShell cmdlets for Azure Virtual Desktop that support session host
update are in preview. You need to download and install the preview version of the
Az.DesktopVirtualization module to use these cmdlets, which are added in
version 5.3.0.

Schedule an update and edit a session host

configuration
When you schedule an update, the session host configuration for the host pool is used.
You need to make changes to the session host configuration when scheduling an
update, otherwise your session hosts are redeployed with the same session host
configuration values. Any changes you make when scheduling an update are saved to
the session host configuration.

To schedule an update for your session hosts, select the relevant tab for your scenario
and follow the steps.

） Important

During an update, the number of available session hosts for user sessions is
reduced and any logged on users will be asked to log off. We recommend you
schedule an update during less busy periods to minimize disruption to end
users.

If you use a custom network security group (NSG) for the session hosts you
want to update, there's a known issue where you can't start an update using
the Azure portal. To work around this issue, use Azure PowerShell to start the
update.

Azure portal

Here's how to schedule a new update for your session hosts using the Azure portal.
 Tip

When you schedule an update using the Azure portal, values are populated
from the session host configuration. If this is the first update and a session
host configuration hasn't already been created, the portal shows the default
session host configuration until the session host configuration is created. Any
changes you make to the session host configuration during an update will be
saved.

If you edit the session host configuration using the Azure portal, you have to
schedule an update.

1. Sign in to the Azure portal .

2. In the search bar, enter Azure Virtual Desktop and select the matching service
entry.

3. Select Host pools, then select the host pool with a session host configuration
that you want to update.

4. Select Session hosts.

5. If you want to review the session host configuration before you schedule an
update, select Manage session host configuration, then View. Once you
review the session host configuration, select Cancel.

6. To schedule a new update, select Manage session host update, then select
New update. Alternatively, select Manage session host configuration, then
Edit.

7. On the Basics tab, complete the following information:

ﾉ Expand table

Parameter Value/Description

Enable saving original Useful in rollback scenarios, but normal costs apply for
virtual machines after storing the original VM's components.
the update

Current host pool size The number of session hosts in your host pool.
(read-only)

VM batch size The maximum number of session hosts that are updated at
authorized to be a time.
 Parameter Value/Description

removed from the host

pool during the update When the update starts, only one session host, known as
the initial, is updated first to verify the update process
before updating the remaining session hosts in batches. If
the update of the initial isn't successful, the update stops.

Session hosts available The minimum number of session hosts that are available for
during the update user sessions during the update.
(read-only)

Once you complete this tab, select Next: Session hosts.

8. On the Session hosts tab, you can optionally update the following parameters
in your session host configuration:

ﾉ Expand table

Parameter Value/Description

Security type Select from Standard, Trusted launch virtual machines, or

Confidential virtual machines.

- If you select Trusted launch virtual machines, options for

secure boot and vTPM are automatically selected.

- If you select Confidential virtual machines, options for secure

boot, vTPM, and integrity monitoring are automatically
selected. You can't opt out of vTPM when using a confidential
VM.

Image Select the OS image you want to use from the list, or select See
all images to see more, including any custom images you
created and stored as an Azure Compute Gallery shared image
or a managed image.

Virtual machine Select a recommended SKU from the list. If you want to use
size different SKU, select See all sizes, then select from the list.

OS disk type Select the disk type to use for your session hosts. We
recommend you use Premium SSD for production workloads.

The disk type needs to be supported on the VM family and size

selected. Ensure that you're selecting a combination that Azure
compute supports. The name of the OS disk of the updated
session hosts has a new name in the format SessionHostName-
DateTime_Hash .
 Parameter Value/Description

Domain to join

Select which Select Active Directory, then select the key vault that contains
directory you the secrets for the username and password for the domain join
would like to join account.

You can optionally specify a domain name and organizational

unit path.

Virtual Machine Complete the relevant parameters by selecting the key vault and
Administrator secret for the username and password for the local
account administrator account of the updated session host VMs. The
username and password must meet the requirements for
Windows VMs in Azure.

Custom
configuration

Custom If you want to run a PowerShell script during deployment you

configuration script can enter the URL here.
URL

Once you review or finish making changes to the session host configuration,
select Next: Schedule.

9. On the Schedule tab, either check the box to Schedule update now, or select
a date, time, and time zone that you want the update to start, up to a
maximum of two weeks from the current time.

Once you set your schedule, select Next: Notifications.

10. On the Notifications tab, complete the following information:

ﾉ Expand table

Parameter Value/Description

Minutes before The amount of time to wait after the update start time for users
the users are to be notified to sign out. This value is configurable between 0
signed out and 60 minutes. Users will automatically be logged off after this
elapsed time.

Sign out message A message you can specify to inform users that the session host
they're using is about to start updating.

Once you complete this tab, select Next: Review.

 11. On the Review tab, ensure validation passes and review the information that is
used during the update.

12. Select Update to schedule the update. When you view the list of session hosts,
the column Current Version shows the timestamp of the version of the session
host configuration that the session host is using. If the Current Version
column has a warning icon, it means the timestamp of the version in the
column Target Version is later and the session host needs to be updated.

７ Note

The first time you schedule an update, the settings you provide overwrite the
default settings in the session host management policy. Subsequent updates
will have those parameters pre-populated and any changes are saved.

） Important

Once an update has been scheduled, you can't edit the schedule or settings. If
you need to make any changes, you'll need to cancel the update and schedule
a new one.

Don't remove any VMs from the host pool while the update is ongoing. Doing
so may create issues with the ongoing update.

Don't change the drain mode of any VMs in the host pool while an update is
ongoing. The drain mode of the VMs is automatically changed based on
which stage of the update it is in. If a session host is not recoverable after an
update, its drain mode setting will be enabled. Once the update is complete,
the drain mode is reset.

It takes around 20 minutes for a session host to update. The number of

session hosts that you specify in the batch size will be updated concurrently
before moving on to the next batch. You should factor the overall completion
time into your scheduled time.

Monitor the progress of an update

Once an update begins, you can check its progress. Select the relevant tab for your
scenario and follow the steps.

Azure portal

Here's how to monitor the progress of an update using the Azure portal.

1. From the Azure Virtual Desktop overview, select Host pools, then select the
host pool you scheduled an update for.

2. Select Session hosts.

3. A blue banner provides the status of the update. It only shows a point in time,
so you need to select Refresh to check the latest progress.

If you selected to start the update immediately, the message will state that the
update is scheduled while it begins, but this message is updated once you refresh.
During an update, you see the batch size number of session hosts that are removed
from the host pool during the update.

 Tip

You can also see the activity of an update using Azure Monitor activity log.

Pause, resume, cancel, or retry an update

You can pause, resume, or cancel an update that is in progress. If you pause or cancel an
update, the current activity is completed before it pauses the rest of the update. For
example, if a batch of session hosts is being updated, the update to these session hosts
completes first. The blue banner showing the status of the update changes to show how
far the update got when it paused. Once an update is paused, you can only resume it,
which continues from the point it was paused.

If you don't resume an update within two weeks, the update is canceled. Once an
update is canceled, you can't resume it.

Ｕ Caution

If you cancel an update part way through, there will be differences between the
session hosts in the host pool, such as a different operating system version, or
joined to a different Active Directory domain. This may provide an inconsistent
 experience to users, so you will need to schedule another update as soon as
possible to make sure there is parity across all session hosts.

Azure portal

Here's how to pause, resume, cancel, or retry an update using the Azure portal.

1. From the Azure Virtual Desktop overview, select Host pools, then select the
host pool you scheduled an update for.

2. Select Session hosts, then select Manage session host update.

3. Select Pause, Resume, Cancel, or Retry depending on the current state of the
update.

4. Select Refresh to update the status message in the blue banner. It can take
approximately 20 seconds to show the correct status.

Next steps
Learn how to use session host update diagnostics.

Find guidance to Troubleshoot session host update.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Example diagnostic queries for session
host update in Azure Virtual Desktop
Article • 10/22/2024

） Important

Session host update for Azure Virtual Desktop is currently in PREVIEW. See the
Supplemental Terms of Use for Microsoft Azure Previews for legal terms that
apply to Azure features that are in beta, preview, or otherwise not yet released into
general availability.

Session host update uses Log Analytics in Azure Monitor to store information about
updates. This article has some example Kusto queries you can use with Log Analytics to
see information about session host updates.

Prerequisites
Before you can use these queries, you need:

An existing host pool with a session host configuration.

Configured diagnostic settings on each host pool you use with session host update
to send logs and metrics to a Log Analytics workspace. The categories Checkpoint,
Error, and Session Host Management Activity Logs must be enabled as a
minimum.

A previously scheduled and run a session host update on the session hosts in the
host pool.

Diagnostic data location

Once you configure diagnostic settings on a host pool, diagnostic data for session host
update is stored in the tables WVDSessionHostManagement and WVDCheckpoints of your
Log Analytics workspace. Log entries use the existing Management activity type, which
comes from the Azure Resource Manager (ARM) provider.

The table WVDSessionHostManagement is specific to session host update and is created

once you enable the category Session Host Management Activity Logs on the
diagnostic settings for each host pool you use with session host update, and session
host update runs. If you previously configured diagnostic settings for a host pool, you
need to enable the category Session Host Management Activity Logs. For more
information Configure diagnostic settings to capture platform logs and metrics for
Azure Virtual Desktop.

The rest of this article has some example queries you can run. You can use them as a
basis to create your own queries. You need to run each of these queries in Log Analytics.
For more information on how to run queries, see Start Log Analytics.

Session host updates that completed

successfully
This query correlates the tables WVDSessionHostManagement and WVDCheckpoints to
provide the time taken to complete an update and the median time to update a single
session host in minutes in last 30 days:

Kusto

let timeRange = ago(30d);

let succeededStatus = "Succeeded";
let hostPoolUpdateCompletedCheckpoint = "HostPoolUpdateCompleted";
let sessionHostUpdateCompletedCheckpoint = "SessionHostUpdateCompleted";
let provisioningTypeUpdate = "Update";
WVDSessionHostManagement
| where ProvisioningStatus == succeededStatus and TimeGenerated >= timeRange
and ProvisioningType == provisioningTypeUpdate
| join kind = inner (
// Get number of session hosts updated
WVDCheckpoints
| where Name == hostPoolUpdateCompletedCheckpoint
| extend ParametersParsed = parse_json(Parameters)
| extend SessionHostUpdateCount =
ParametersParsed["SessionHostsUpdateCompleted"], UpdateCompletionTime =
todatetime(ParametersParsed["TimeCompleted"]), UpdateStartTime =
todatetime(ParametersParsed["TimeStarted"])
| project CorrelationId, SessionHostUpdateCount, UpdateStartTime,
UpdateCompletionTime
) on CorrelationId
| join kind = inner
(
// Get time to update individual session hosts
WVDCheckpoints
| where Name == sessionHostUpdateCompletedCheckpoint
| extend ParametersParsed = parse_json(Parameters)
| extend SessionHostUpdateTime =
todecimal(ParametersParsed["TimeTakenToUpdateSessionHostInSeconds"])
// Calculate median time to update session host
| summarize SessionHostMedianUpdateTime =
 percentile(SessionHostUpdateTime, 50) by CorrelationId
) on CorrelationId
| project TimeGenerated, _SubscriptionId, _ResourceId, CorrelationId,
UpdateStartDateTime = UpdateStartTime, UpdateEndDateTime =
UpdateCompletionTime, ['UpdateDuration [InMinutes]'] =
datetime_diff('minute', UpdateCompletionTime, UpdateStartTime),
SessionHostUpdateCount, ['MedianSessionHostUpdateTime [InMinutes]'] =
toint(SessionHostMedianUpdateTime/(60 * 1.0)), UpdateBatchSize =
UpdateMaxVmsRemoved, FromSessionHostConfigVer, ToSessionHostConfigVer,
UpdateDeleteOriginalVm

The dataset returned is as follows:

ﾉ Expand table

Column Definition

TimeGenerated System generated event timestamp

_SubscriptionId Subscription ID of a host pool

_ResourceId Resource ID of a host pool

CorrelationId Unique identifier assigned to every image update performed

on a host pool

UpdateStartDateTime Session host update start timestamp in UTC

UpdateEndDateTime Session host update completion timestamp in UTC

UpdateDuration Time taken to complete to update the image of all session

hosts in a host pool in minutes

SessionHostUpdateCount Number of session hosts updated

MedianSessionHostUpdateTime Median time to update the image of a single session host in

minutes

UpdateBatchSize Number of session hosts that were in a single batch during an

update of the image

FromSessionHostConfigVer Session host configuration before an update of the image

ToSessionHostConfigVer Session host configuration after an update of the image

UpdateDeleteOriginalVm Whether the original virtual machine was preserved after the
completion of an update of the image

Errors during a session host update

This query correlates the tables WVDSessionHostManagement and WVDErrors to provide
information you can use to troubleshoot errors during session host updates in the last
30 days:

Kusto

let timeRange = ago(30d);

let provisioningTypeUpdate = "Update";
WVDSessionHostManagement
| where ProvisioningStatus in ("Failed", "Error", "Canceled") and
TimeGenerated >= timeRange and ProvisioningType == provisioningTypeUpdate
| summarize arg_max(TimeGenerated, _ResourceId, _SubscriptionId,
FromSessionHostConfigVer, ToSessionHostConfigVer) by CorrelationId
| join kind = inner
(
// Get image update errors
WVDErrors
| where TimeGenerated >= timeRange
| extend IsSessionHostResourceIdAvailable = iif(Message startswith
"SessionHostResourceId", 1, 0)
| extend startIndex = iif(IsSessionHostResourceIdAvailable == 1,
indexof(Message, ":") + 1, 0)
| extend length = iif(IsSessionHostResourceIdAvailable == 1,
indexof(Message, ";") - startIndex, 0)
// Get Session host ResourceId when available
| extend SessionHostResourceId = iif(IsSessionHostResourceIdAvailable ==
1, substring(Message, startIndex, length), "")
| project TimeGenerated, CorrelationId, SessionHostResourceId,
CodeSymbolic, Message
) on CorrelationId
| project TimeGenerated, _SubscriptionId, _ResourceId, CorrelationId,
CodeSymbolic, SessionHostResourceId, Message, FromSessionHostConfigVer,
ToSessionHostConfigVer

The dataset returned is as follows:

ﾉ Expand table

Column Definition

TimeGenerated System generated event timestamp

_SubscriptionId Subscription ID of a host pool

_ResourceId Resource ID of a host pool

CorrelationId Unique identifier assigned to every image update performed on a

host pool

CodeSymbolic Error code

 Column Definition

SessionHostResourceId Resource ID of a session host, if applicable

Message Error information

FromSessionHostConfigVer Session host configuration version before an image update

ToSessionHostConfigVer Session host configuration version to which session hosts were

updated where the update process failed

Session host updates canceled by an

administrator before the scheduled time
This query correlates the tables WVDSessionHostManagement and WVDCheckpoints to
provide session host updates that were scheduled, but then canceled by an
administrator before they started, in the last 30 days:

Kusto

let timeRange = ago(30d);

let canceledStatus = "Canceled";
let scheduledStatus = "Scheduled";
let hostPoolUpdateCanceledCheckpoint = "HostPoolUpdateCanceled";
let provisioningTypeUpdate = "Update";
WVDSessionHostManagement
| where ProvisioningStatus == canceledStatus and TimeGenerated >= timeRange
and ProvisioningType == provisioningTypeUpdate
| join kind = inner
(
WVDCheckpoints
| where Name == "HostPoolUpdateCanceled"
| project TimeGenerated, CorrelationId, Name, Parameters
| extend ParametersParsed = parse_json(Parameters)
| extend StateFrom = tostring(ParametersParsed["StateFrom"]), StateTo =
tostring(ParametersParsed["StateTo"]), CanceledTime =
todatetime(ParametersParsed["TimeCanceled"])
| where StateFrom == scheduledStatus and StateTo == canceledStatus
) on CorrelationId
| project TimeGenerated, _SubscriptionId, _ResourceId, CorrelationId,
ScheduledDateTime = todatetime(ScheduledDateTime), CanceledDateTime =
CanceledTime, UpdateBatchSize = UpdateMaxVmsRemoved

The dataset returned is as follows:

ﾉ Expand table
 Column Definition

TimeGenerated System generated event timestamp

_SubscriptionId Subscription ID of a host pool

_ResourceId Resource ID of a host pool

CorrelationId Unique identifier assigned to every update of the image of a host pool

ScheduledDateTime Session host update scheduled time in UTC

CanceledDateTime Time in UTC when an update of the image was canceled by an

administrator

UpdateBatchSize Number of session hosts that were in a single batch during an update of
the image

Session host updates that were in progress or

failed, then later canceled by an administrator
This query correlates the tables WVDSessionHostManagement and WVDCheckpoints to
provide session host updates that were in progress or failed, then later canceled by an
administrator in the last 30 days:

Kusto

let timeRange = ago(30d);

let canceledStatus = "Canceled";
let scheduledStatus = "Scheduled";
let hostPoolUpdateCanceledCheckpoint = "HostPoolUpdateCanceled";
let provisioningTypeUpdate = "Update";
WVDSessionHostManagement
| where ProvisioningStatus == canceledStatus and TimeGenerated >= timeRange
and ProvisioningType == provisioningTypeUpdate
| join kind = inner
(
WVDCheckpoints
| where Name == hostPoolUpdateCanceledCheckpoint
| project TimeGenerated, CorrelationId, Name, Parameters
| extend ParametersParsed = parse_json(Parameters)
| extend StateFrom = tostring(ParametersParsed["StateFrom"]), StateTo =
tostring(ParametersParsed["StateTo"]), CanceledTime =
todatetime(ParametersParsed["TimeCanceled"]), TotalSessionHostsInHostPool =
toint(ParametersParsed["TotalSessionHostsInHostPool"]),
SessionHostUpdateCount = ParametersParsed["SessionHostsUpdateCompleted"]
| where StateFrom != scheduledStatus and StateTo == canceledStatus
) on CorrelationId
| project TimeGenerated, _SubscriptionId, _ResourceId, CorrelationId,
 ScheduledDateTime = todatetime(ScheduledDateTime), CanceledDateTime =
CanceledTime, TotalSessionHostsInHostPool, SessionHostUpdateCount,
UpdateBatchSize = UpdateMaxVmsRemoved

The dataset returned is as follows:

ﾉ Expand table

Column Definition

TimeGenerated System generated event timestamp

_SubscriptionId Subscription ID of a host pool

_ResourceId Resource ID of a host pool

CorrelationId Unique identifier assigned to every update of the session host of a

host pool

ScheduledDateTime Session host update scheduled time in UTC

CanceledDateTime Time in UTC when an administrator canceled an update of the

session host

TotalSessionHostsInHostPool Total number of session hosts in a host pool

SessionHostUpdateCount Number of session hosts that were updated before canceling a

session host update

UpdateBatchSize Number of session hosts in a single batch during an update of the

session host

Status of every session host update

This query correlates the tables WVDSessionHostManagement and WVDCheckpoints to
provide the latest status of every session host update in the last 30 days:

Kusto

let timeRange = ago(30d);

let sessionHostUpdateCompletedCheckpoint = "SessionHostUpdateCompleted";
let provisioningTypeUpdate = "Update";
WVDSessionHostManagement
| where TimeGenerated >= timeRange and ProvisioningType ==
provisioningTypeUpdate
| join kind = leftouter (
// Get number of session hosts updated if available
WVDCheckpoints
| where Name == sessionHostUpdateCompletedCheckpoint
 | summarize SessionHostUpdateCount = count() by CorrelationId
) on CorrelationId
| summarize arg_max(TimeGenerated, _SubscriptionId, _ResourceId,
ScheduledDateTime, UpdateMaxVmsRemoved, SessionHostUpdateCount,
ProvisioningStatus) by CorrelationId
| project TimeGenerated, _SubscriptionId, _ResourceId, CorrelationId,
ProvisioningStatus, ScheduledDateTime = todatetime(ScheduledDateTime),
UpdateBatchSize = UpdateMaxVmsRemoved, SessionHostUpdateCount =
iif(isempty(SessionHostUpdateCount), 0, SessionHostUpdateCount)

The dataset returned is as follows:

ﾉ Expand table

Column Definition

TimeGenerated System generated event timestamp

_SubscriptionId Subscription ID for a host pool

_ResourceId Resource ID of a host pool

CorrelationId Unique identifier assigned to every update of the image of a host

pool

ProvisioningStatus Current status of an update of the image of a host pool

ScheduledDateTime Session host update scheduled time in UTC

UpdateBatchSize Number of session hosts in a single batch during an update of the

image

SessionHostUpdateCount Number of session hosts that were updated

Next steps
For troubleshooting guidance for session host update, see Troubleshoot session host
update.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Autoscale scaling plans and example
scenarios in Azure Virtual Desktop
Article • 10/01/2024

Autoscale lets you scale your session host virtual machines (VMs) in a host pool up or
down according to schedule to optimize deployment costs.

７ Note

Azure Virtual Desktop (classic) doesn't support autoscale.

You can't use autoscale and scale session hosts using Azure Automation on
the same host pool. You must use one or the other.
Autoscale is available in Azure and Azure Government in the same regions
you can create host pools in.
Autoscale support for Azure Stack HCI with Azure Virtual Desktop is currently
in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure
Previews for legal terms that apply to Azure features that are in beta,
preview, or otherwise not yet released into general availability.

For best results, we recommend using autoscale with VMs you deployed with Azure
Virtual Desktop Azure Resource Manager (ARM) templates or first-party tools from
Microsoft.

How a scaling plan works

Before you create your plan, keep the following things in mind:

You can assign one scaling plan to one or more host pools of the same host pool
type. The scaling plan's schedules will be applied to all assigned host pools.

You can only associate one scaling plan per host pool. If you assign a single scaling
plan to multiple host pools, those host pools can't be assigned to another scaling
plan.

Hibernate is available for personal host pools. For more information, view
Hibernation in virtual machines.

A scaling plan can only operate in its configured time zone.

 A scaling plan can have one or multiple schedules. For example, different
schedules during weekdays versus the weekend.

Make sure you understand usage patterns before defining your schedule. You'll
need to schedule around the following times of day:
Ramp-up: the start of the day, when usage picks up.
Peak hours: the time of day when usage is expected to be at its highest.
Ramp-down: when usage tapers off. This is usually when you shut down your
VMs to save costs.
Off-peak hours: the time of the day when usage is expected to be at its lowest.

The scaling plan will take effect as soon as you enable it.

Also, keep these limitations in mind:

Don’t use autoscale in combination with other scaling Microsoft or third-party

scaling tools. Ensure that you disable those for the host pools you apply the
scaling plans to.

For pooled host pools, autoscale overwrites drain mode, so make sure to use
exclusion tags when updating VMs in host pools.

For pooled host pools, autoscale ignores existing load-balancing algorithms in

your host pool settings, and instead applies load balancing based on your
schedule configuration.

Example scenarios for autoscale for pooled

host pools
In this section, there are four scenarios that show how different parts of autoscale for
pooled host pools works. In each example, there are tables that show the host pool's
settings and animated visual demonstrations.

７ Note

To learn more about what the parameter terms mean, see our autoscale glossary.

Scenario 1: When does autoscale turn virtual machines

on?
In this scenario, we'll demonstrate that autoscale can turn on session host virtual
machines (VMs) in any phase of the scaling plan schedule when the used host pool
capacity exceeds the capacity threshold.

For example, let's look at the following host pool setup as described in this table:

ﾉ Expand table

Parameter Value

Phase Ramp-up

Total session hosts 6

Load balancing algorithm Breadth-first

Capacity threshold 30%

Minimum percentage of hosts 30%

Available session hosts 2

Maximum session limit 5

Available host pool capacity 10

User sessions 0

Used host pool capacity 0%

At the beginning of this phase, autoscale has turned on two session hosts to match the
minimum percentage of hosts. Although 30% of six isn't a whole number, autoscale
rounds up to the nearest whole number. Having two available session hosts and a
maximum session limit of five sessions per host means that this host pool has an
available host pool capacity of 10. Since there aren't currently any user sessions, the
used host pool capacity is 0%.

When the day begins, let's say three users sign in and start user sessions. Their user
sessions get evenly distributed across the two available session hosts since the load
balancing algorithm is breadth first. The available host pool capacity is still 10, but with
the three new user sessions, the used host pool capacity is now 30%. However,
autoscale won't turn on virtual machines (VMs) until the used host pool capacity is
greater than the capacity threshold. In this example, the capacity threshold is 30%, so
autoscale won't turn on any VMs yet.

At this point, the host pool's parameters look like this:

 ﾉ Expand table

Parameter Value

Phase Ramp-up

Total session hosts 6

Load balancing algorithm Breadth-first

Capacity threshold 30%

Minimum percentage of hosts 30%

Available session hosts 2

Maximum session limit 5

Available host pool capacity 10

User sessions 3

Used host pool capacity 30%

When another user signs in and starts a session, there are now four total users sessions
distributed across two session hosts. The used host pool capacity is now 40%, which is
greater than the capacity threshold. As a result, autoscale will turn on another session
host to bring the used host pool capacity to less than or equal to the capacity threshold
(30%).

In summary, here are the parameters when the used host pool capacity exceeds the
capacity threshold:

ﾉ Expand table

Parameter Value

Phase Ramp-up

Total session hosts 6

Load balancing algorithm Breadth-first

Capacity threshold 30%

Minimum percentage of hosts 30%

Available session hosts 2

Maximum session limit 5

 Parameter Value

Available host pool capacity 10

User sessions 4

Used host pool capacity 40%

Here are the parameters after autoscale turns on another session host:

ﾉ Expand table

Parameter Value

Phase Ramp-up

Total session hosts 6

Load balancing algorithm Breadth-first

Capacity threshold 30%

Minimum percentage of hosts 30%

Available session hosts 3

Maximum session limit 5

Available host pool capacity 15

User sessions 4

Used host pool capacity 27%

Turning on another session host means there are now three available session hosts in
the host pool. With the maximum session limit still being five, the available host pool
capacity has gone up to 15. Because the available host pool capacity increased, the used
host pool capacity has gone down to 27%, which is below the 30% capacity threshold.

When another user signs in, there are now five user sessions spread across three
available session hosts. The used host pool capacity is now 33%, which is over the 30%
capacity threshold. Exceeding the capacity threshold activates autoscale to turn on
another session host.

Since our example is in the ramp-up phase, new users are likely to keep signing in. As
more users arrive, the pattern becomes clearer:

ﾉ Expand table
 Total user Number of Available Capacity Used host Does autoscale
sessions available host pool threshold pool turn on another
session hosts capacity capacity session host?

5 3 15 30% 33% Yes

5 4 20 30% 25% No

6 4 20 30% 30% No

7 4 20 30% 35% Yes

7 5 25 30% 28% No

As this table shows, autoscale only turns on new session hosts when the used host pool
capacity goes over the capacity threshold. If the used host pool capacity is at or below
the capacity threshold, autoscale won't turn on new session hosts.

The following animation is a visual recap of what we just went over in Scenario 1.

Scenario 2: When does autoscale turn virtual machines

off?
In this scenario, we'll show that autoscale turns off session hosts when all of the
following things are true:

The used host pool capacity is below the capacity threshold.

Autoscale can turn off session hosts without exceeding the capacity threshold.
 Autoscale only turns off session hosts with no user sessions on them (unless the
scaling plan is in ramp-down phase and you've enabled the force logoff setting).
Pooled autoscale will not turn off session hosts in the ramp-up phase to avoid bad
user experience.

For this scenario, the host pool starts off looking like this:

ﾉ Expand table

Parameter Value

Phase Peak

Total session hosts 6

Load balancing algorithm Breadth-first

Capacity threshold 30%

Minimum percentage of hosts 30%

Available session hosts 5

Maximum session limit 5

Available host pool capacity 25

User sessions 7

Used host pool capacity 28%

Because we're in the peak phase, we can expect the number of users to remain relatively
stable. However, to keep the amount of resources used stable while also remaining
efficient, autoscale will turn session hosts on and off as needed.

So, let's say that there are seven users signed in during peak hours. If the total number
of user sessions is seven, that would make the used host pool capacity 28%. Because
autoscale can't turn off a session host without the used host pool capacity exceeding
the capacity threshold, autoscale won't turn off any session hosts yet.

If two of the seven users sign out during their lunch break, that leaves five user sessions
across five session hosts. Since the maximum session limit is still five, the available host
pool capacity is 25. Having only five users means that the used host pool capacity is now
20%. autoscale must now check if it can turn off a session host without making the used
host pool capacity go above the capacity threshold.

If autoscale turned off a session host, the available host pool capacity would be 20. With
five users, the used host pool capacity would then be 25%. Because 25% is less than the
capacity threshold of 30%, autoscale will select a session host without user sessions on
it, put it in drain mode, and turn it off.

Once autoscale turns off one of the session hosts without user sessions, there are four
available session hosts left. The host pool maximum session limit is still five, so the
available host pool capacity is 20. Since there are five user sessions, the used host pool
capacity is 25%, which is still below the capacity threshold.

However, if another user signs out and heads out for lunch, there are now four user
sessions spread across the four session hosts in the host pool. Since the maximum
session limit is still five, the available host pool capacity is 20, and the used host pool
capacity is 20%. Turning off another session host would leave three session hosts and an
available host pool capacity of 15, which would cause the used host pool capacity to
jump up to around 27%. Even though 27% is below the capacity threshold, there are no
session hosts with zero user sessions on it. Autoscale will select the session host with the
least number of user sessions, put it in drain mode, and wait for all user sessions to sign
out before turning it off. If at any point the used host pool capacity gets to a point
where autoscale can no longer turn off the session host, it will take the session host out
of drain mode.

The following animation is a visual recap of what we just went over in Scenario 2.

Scenario 3: When does autoscale force users to sign out?

Autoscale only forces users to sign out if you've enabled the force logoff setting during
the ramp-down phase of your scaling plan schedule. The force logoff setting won't sign
out users during any other phase of the scaling plan schedule.
For example, let's look at a host pool with the following parameters:

ﾉ Expand table

Parameter Value

Phase Ramp-down

Total session hosts 6

Load balancing algorithm Depth-first

Capacity threshold 75%

Minimum percentage of hosts 10%

Available session hosts 4

Maximum session limit 5

Available host pool capacity 20

User sessions 4

Used host pool capacity 20%

During the ramp-down phase, the host pool admin has set the capacity threshold to
75% and the minimum percentage of hosts to 10%. Having a high capacity threshold
and a low minimum percentage of hosts in this phase decreases the need to turn on
new session hosts at the end of the workday.

For this scenario, let's say that there are currently four users on the four available session
hosts in this host pool. Since the available host pool capacity is 20, that means the used
host pool capacity is 20%. Based on this information, autoscale detects that it can turn
off two session hosts without going over the capacity threshold of 75%. However, since
there are user sessions on all the session hosts in the host pool, in order to turn off two
session hosts, autoscale will need to force users to sign out.

When you've enabled the force logoff setting, autoscale will select the session hosts
with the fewest user sessions, then put the session hosts in drain mode. Autoscale then
sends users in the selected session hosts notifications that they're going to be forcibly
signed out of their sessions after a certain time. Once that time has passed, if the users
haven't already ended their sessions, autoscale will forcibly end their sessions for them.
In this scenario, since there are equal numbers of user sessions on each of the session
hosts in the host pool, autoscale will choose two session hosts at random to forcibly
sign out all their users and will then turn off the session hosts.
Once autoscale turns off the two session hosts, the available host pool capacity is now
10. Now that there are only two user sessions left, the used host pool capacity is 20%, as
shown in the following table.

ﾉ Expand table

Parameter Value

Phase Ramp-down

Total session hosts 6

Load balancing algorithm Depth-first

Capacity threshold 75%

Minimum percentage of hosts 10%

Available session hosts 2

Maximum session limit 5

Available host pool capacity 10

User sessions 2

Used host pool capacity 20%

Now, let's say that the two users who were forced to sign out want to continue doing
work and sign back in. Since the available host pool capacity is still 10, the used host
pool capacity is now 40%, which is below the capacity threshold of 75%. However,
autoscale can't turn off more session hosts, because that would leave only one available
session host and an available host pool capacity of five. With four users, that would
make the used host pool capacity 80%, which is above the capacity threshold.

So now the parameters look like this:

ﾉ Expand table

Parameter Value

Phase Ramp-down

Total session hosts 6

Load balancing algorithm Depth-first

Capacity threshold 75%

 Parameter Value

Minimum percentage of hosts 10%

Available session hosts 2

Maximum session limit 5

Available host pool capacity 10

User sessions 4

Used host pool capacity 40%

If at this point another user signs out, that leaves only three user sessions distributed
across the two available session hosts. In other words, the host pool now looks like this:

ﾉ Expand table

Parameter Value

Phase Ramp-down

Total session hosts 6

Load balancing algorithm Depth-first

Capacity threshold 75%

Minimum percentage of hosts 10%

Available session hosts 2

Maximum session limit 5

Available host pool capacity 10

User sessions 3

Used host pool capacity 30%

Because the maximum session limit is still five and the available host pool capacity is 10,
the used host pool capacity is now 30%. Autoscale can now turn off one session host
without exceeding the capacity threshold. Autoscale turns off a session host by
choosing the session host with the fewest number of user sessions on it. Autoscale then
puts the session host in drain mode, sends users a notification that says the session host
will be turned off, then after a set amount of time, forcibly signs any remaining users out
and turns it off. After doing so, there's now one remaining available session host in the
host pool with a maximum session limit of five, making the available host pool capacity
five.

Since autoscale forced a user to sign out when turning off the chosen session host, there
are now only two user sessions left, which makes the used host pool capacity 40%.

To recap, here's what the host pool looks like now:

ﾉ Expand table

Parameter Value

Phase Ramp-down

Total session hosts 6

Maximum session limit 5

Load balancing algorithm Depth-first

Capacity threshold 75%

Minimum percentage of hosts 10%

Available host pool capacity 5

User sessions 2

Available session hosts 1

Used host pool capacity 40%

After that, let's imagine that the user who was forced to sign out signs back in, making
the host pool look like this:

ﾉ Expand table

Parameter Value

Phase Ramp-down

Total session hosts 6

Load balancing algorithm Depth-first

Capacity threshold 75%

Minimum percentage of hosts 10%

Available session hosts 1

 Parameter Value

Maximum session limit 5

Available host pool capacity 5

User sessions 3

Used host pool capacity 60%

Now there are three user sessions in the host pool. However, the host pool capacity is
still five, which means the used host pool capacity is 60% and below the capacity
threshold. Because turning off the remaining session host would make the available host
pool capacity zero, which is below the 10% minimum percentage of hosts, autoscale will
ensure that there's always at least one available session host during the ramp-down
phase.

The following animation is a visual recap of what we just went over in Scenario 3.

Scenario 4: How do exclusion tags work?

When a virtual machine has a tag name that matches the scaling plan exclusion tag,
autoscale won't turn it on, off, or change its drain mode setting. Exclusion tags are
applicable in all phases of your scaling plan schedule.

Here's the example host pool we're starting with:

ﾉ Expand table
 Parameter Value

Phase Off-peak

Total session hosts 6

Load balancing algorithm Breadth-first

Capacity threshold 75%

Minimum percentage of hosts 10%

Available session hosts 1

Maximum session limit 5

Available host pool capacity 5

User sessions 3

Used host pool capacity 60%

In this example scenario, the host pool admin applies the scaling plan exclusion tag to
five out of the six session hosts. When a new user signs in, that brings the total number
of user sessions up to four. There's only one available session host and the host pool's
maximum session limit is still five, so the available host pool capacity is five. The used
host pool capacity is 80%. However, even though the used host pool capacity is greater
than the capacity threshold, autoscale won't turn on any other session hosts because all
of the session hosts except for the one currently running have been tagged with the
exclusion tag.

So, now the host pool looks like this:

ﾉ Expand table

Parameter Value

Phase Off-peak

Total session hosts 6

Load balancing algorithm Breadth-first

Capacity threshold 75%

Minimum percentage of hosts 10%

Available session hosts 1

Maximum session limit 5

 Parameter Value

Available host pool capacity 5

User sessions 4

Used host pool capacity 80%

Next, let's say all four users have signed out, leaving no user sessions left on the
available session host. Because there are no user sessions in the host pool, the used host
pool capacity is 0. Autoscale will keep this single session host on despite it having no
users, because during the off-peak phase, autoscale's minimum percentage of hosts
setting dictates that it needs to keep at least one session host available during this
phase.

To summarize, the host pool now looks like this:

ﾉ Expand table

Parameter Value

Phase Off-peak

Total session hosts 6

Load balancing algorithm Breadth-first

Capacity threshold 75%

Minimum percentage of hosts 10%

Available session hosts 1

Maximum session limit 5

Available host pool capacity 5

User sessions 0

Used host pool capacity 0%

If the admin applies the exclusion tag name to the last untagged session host virtual
machine and turns it off, then that means even if other users try to sign in, autoscale
won't be able to turn on a VM to accommodate their user session. That user will see a
"No resources available" error.

However, being unable to turn VMs back on means that the host pool won't be able to
meet its minimum percentage of hosts. To fix any potential problems that causes, the
admin removes the exclusion tags from two of the VMs. Autoscale only turns on one of
the VMs, because it only needs one VM to meet the 10% minimum requirement.

So, finally, the host pool will look like this:

ﾉ Expand table

Parameter Value

Phase Off-peak

Total session hosts 6

Load balancing algorithm Breadth-first

Capacity threshold 75%

Minimum percentage of hosts 19%

Available session hosts 1

Maximum session limit 5

Available host pool capacity 5

User sessions 0

Used host pool capacity 0%

The following animation is a visual recap of what we just went over in Scenario 4.
Next steps
To learn how to create scaling plans for autoscale, see Create autoscale scaling for
Azure Virtual Desktop host pools.
To review terms associated with autoscale, see the autoscale glossary.
For answers to commonly asked questions about autoscale, see the autoscale FAQ.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Autoscale glossary for Azure Virtual
Desktop
Article • 11/15/2023

This article is a list of definitions for key terms and concepts related to the autoscale
feature for Azure Virtual Desktop.

Autoscale
Autoscale is Azure Virtual Desktop’s native scaling service that turns VMs on and off
based on the capacity of the host pools and the scaling plan schedule you define.

Scaling tool
Azure Virtual Desktop’s scaling tool uses Azure Automation and Azure Logic Apps to
scale the VMs in a host pool based on how many user sessions per CPU core there are
during peak and off-peak hours.

Scaling plan
A scaling plan is an Azure Virtual Desktop Azure Resource Manager object that defines
the schedules for scaling session hosts in a host pool. You can assign one scaling plan to
multiple host pools. When creating a scaling plan, you have to choose between pooled
or personal host pools. You can only assign the scaling plan to the host pools with the
same type (pooled or personal). The scaling plan type can't be changed after it is
created.

Schedule
Schedules are sub-resources of scaling plans. Scaling plans for pooled host pools have
schedules that specify the start time, capacity threshold, minimum percentage of hosts,
load-balancing algorithm, and other configuration settings for the different phases of
the day. Scaling plans for personal host pools have schedules that specify the start time
and what operation to perform based on user session state (signed out or disconnected)
for the different phases of the day.

Ramp-up
The ramp-up phase of a scaling plan schedule is usually at the beginning of the work
day, when users start to sign in and start their sessions. In this phase, the number of
active user sessions usually increases at a rapid pace without reaching the maximum
number of active sessions for the day yet.

Peak
The peak phase of a scaling plan schedule is when your host pool reaches the maximum
number of active user sessions for the day. In this phase, the number of active sessions
usually holds steady until the peak phase ends. New active user sessions can be
established during this phase, but usually at a slower rate than the ramp-up phase.

Ramp-down
The ramp-down phase of a scaling plan schedule is usually at the end of the work day,
when users start to sign out and end their sessions for the evening. In this phase, the
number of active user sessions usually decreases rapidly.

Off-peak
The off-peak phase of the scaling plan schedule is when the host pool usually reaches
the minimum number of active user sessions for the day. During this phase, there aren't
usually many active users, but you may keep a small amount of resources on to
accommodate users who work after the peak and ramp-down phases.

Available session host

Available session hosts are session hosts that have passed all Azure Virtual Desktop
agent health checks and have VM objects that are powered on, making them available
for users to establish user sessions on.

Capacity threshold
The capacity threshold is the percentage of a host pool's capacity that, when reached,
triggers a scaling action to happen.

For example:

If the used host pool capacity is below the capacity threshold and autoscale can
turn off virtual machines (VMs) without going over the capacity threshold, then the
 feature will turn off the VMs.
If the used host pool capacity goes over the capacity threshold, then autoscale will
turn on more VMs until the used host pool capacity goes below the capacity
threshold.

Available host pool capacity

Available host pool capacity is how many user sessions a host pool can host based on
the number of available session hosts. The available host pool capacity is the host pool's
maximum session limit multiplied by the number of available session hosts in the host
pool.

In other words:

Host pool maximum session limit × number of available session hosts = available host
pool capacity.

Used host pool capacity

The used host pool capacity is the amount of host pool capacity that's currently taken
up by active and disconnected user sessions.

In other words:

The number of active and disconnected user sessions ÷ the host pool capacity = used
host pool capacity.

Scaling action
Scaling actions are when autoscale turns VMs on or off.

Shut down
Autoscale for pooled and personal host pools shuts down VMs based on the defined
schedule. When autoscale shuts down a VM, it deallocates and stops the VM, ensuring
you aren't charged for the compute resources.

Minimum percentage of hosts

The minimum percentage of hosts is the lowest percentage of all session hosts in the
host pool that must be turned on for each phase of the scaling plan schedule.

Active user session

A user session is considered "active" when the user signs in and connects to their
RemoteApp or desktop resource.

Disconnected user session

A disconnected user session is an inactive session that the user hasn't signed out of yet.
When a user closes the remote session window without signing out, the session
becomes disconnected. When a user reconnects to their remote resources, they'll be
redirected to their disconnected session on the session host they were working on. At
this point, the disconnected session becomes an active session again.

Force log-off
A force log-off, or forced sign-out, is when the service ends an active user session or a
disconnected user session without the user's consent.

Exclusion tag
An exclusion tag is a property of a scaling plan that's a tag name you can apply to VMs
that you want to exclude from scaling actions. Autoscale only performs scaling actions
on VMs without tag names that match the exclusion tag.

Next steps
For more information about autoscale, see the autoscale feature document.
For examples of how autoscale works, see Autoscale example scenarios.
For more information about the scaling script, see the scaling script document.
Azure Virtual Desktop autoscale
FAQ
FAQ

This article answers frequently asked questions about how to use autoscale for Azure
Virtual Desktop.

General questions
Does autoscale create or delete virtual machines
(VMs) based on service load?
No.

Does autoscale change the SKU or size of VMs?

No.

Can I configure scaling for specific dates like

holidays?
No. Autoscale doesn't currently support ramping down on specific dates.

Will I be charged extra for using autoscale?

No. For more information on rates, see our pricing page .

How often does autoscale monitor the session

hosts and perform scaling evaluations?
Autoscale monitors for when users sign in or out of their session hosts and categorizes
this activity as session change events. Session change events trigger a scaling evaluation
that creates logs. If there aren't any session change events or the event service has an
outage, autoscale then checks to see if it missed any events. When several session
change events happen within a short time period, then the feature will batch the scaling
evaluations. This batching allows autoscale to process large numbers of events quickly
without overloading the system.
How many VMs need to be in a host pool for
autoscale to work properly?
At least one.

Can you use Azure CLI to configure autoscale?

No, currently autoscale doesn't offer the option to configure settings with Azure CLI.

Which regions are supported?

Scaling plan configuration data must be stored in the same region as the host pool
configuration, however, deploying session host VMs is supported in all Azure regions.
VMs can be deployed in a different region than where the host pool and scaling plan
configuration data is stored.

Does autoscale handle scaling session hosts in

secondary regions if the session hosts in the
primary region have an outage?
No. Customers need to set up their own disaster recovery strategy to manage outages.
Autoscale only handles scaling existing VMs within the region they're created in.

Does autoscale consider availability zones during

scaling operations if I create session hosts in
multiple zones within a region?
No. Autoscale doesn't track which availability zone you create VMs in, so it may not
perform scaling operations across all zones equally.

Autoscale for pooled host pools

How do I configure autoscale so I run zero
session hosts after working hours?
Ramp-down mode always uses the lowest possible number of session hosts. However, if
there are existing user sessions, the lowest number of usable session hosts won't be
zero. To configure the time limit policy to sign out all disconnected users to avoid
having usable session hosts after hours, go to Local Computer Policy > Computer
Configuration > Administrative Templates > Windows Components > Remote
Desktop Services > Remote Desktop Session Host > Session Time Limits > Set time
limit for disconnected sessions.

What happens if the host pool capacity is equal

to the capacity threshold?
Nothing. Autoscale only reacts when the host pool capacity is greater than or less than
the capacity threshold. The feature won't do anything when the host pool capacity is the
same as the capacity threshold.

If I already configured drain mode on session

hosts myself, does autoscale still change my
configured drain mode settings?
Yes, autoscale still turns VMs in drain mode on or off, no matter who put it in drain
mode. Autoscale overrides drain mode on all VMs included in scaling, so if you want to
exclude a VM from scaling actions, you must use exclusion tags.

How often does autoscale monitor the session

hosts and perform scaling evaluations?
Autoscale monitors for when users sign in or out of their session hosts and categorizes
this activity as session change events. Session change events trigger a scaling evaluation
that creates logs. If there aren't any session change events or the event service has an
outage, autoscale then checks to see if it missed any events. When several session
change events happen within a short time period, the feature batches the scaling
evaluations. This batching allows autoscale to process large numbers of events quickly
without overloading the system.

Can forced sign out happen in any phase of the

day?
No. If you've enabled autoscale, you can only force users to sign out during the ramp-
down phase. If you put a session host in drain mode during ramp-down to prepare it to
be shut down but not all users sign out before the phase changes to off-peak, the
remaining user sessions won't be forced to sign out from their session. The reason users
aren't signed out is because autoscale doesn't force users to sign out of their sessions
during off-peak hours. Instead, autoscale waits until all users have signed out before
deallocating the VM. For example, if the ramp-down phase is 15 minutes long, and the
wait time before signing out users and shutting down VMs is 20 minutes long, the
schedule shifts to the off-peak phase and the user sessions won't be forced to sign out.

If I configure autoscale to force users to sign out

during ramp-down, will it also sign out users
with active sessions?
Yes. Idle, disconnected, and active sessions are forced to sign out if the users don't sign
out during the ramp-down phase wait time.

If an active session is forced to sign out, but the

user tries to reconnect, is there a way to prevent
that user from starting a new session on a
session host that autoscale is about to shut
down?
After autoscale selects a session host to be shut down, it puts the session host in drain
mode. Once all the user sessions have been signed out, autoscale deallocates the VM.
After autoscale deallocates the VM, it sets the AllowNewSessions setting to true, which
turns off drain mode. Because autoscale puts the sessions hosts that it's about to shut
down in drain mode, a user who's forced to sign out of their session won't be able to
connect to a session host that's about to be shut down if they try to reconnect after
being signed out.

Can autoscale turn off all the VMs in a host pool,

or does it need to keep at least a few VMs on to
work properly?
Autoscale can turn off all VMs in a host pool if the minimum percentage of hosts is set
to 0% and there are no user sessions on the session hosts in the host pool.
Why would I want to configure the load
balancing algorithm differently during different
phases of the scaling plan schedule?
When you set up your scaling plan schedule, you can specify different load balancing
algorithms for different phases of the day. For example, during the ramp-up and peak
phases, you can use the breadth-first load balancing algorithm. This algorithm ensures
you have an even distribution of user sessions during the first two phases of the day,
which optimizes performance. Likewise, during the ramp-down and off-peak phases,
you can use the depth-first load balancing algorithm to help the autoscale feature
consolidate user sessions until it reaches the minimal possible number of session hosts
in the host pool.

Autoscale for personal host pools

What happens to session hosts that get turned
on but don't ever get signed into?
If a session host is turned on (either by autoscale, Start VM on Connect, or by the admin)
and a user never signs into it, autoscale will deallocate that session host after a period of
inactivity to prevent from incurring unnecessary compute costs.

If I opt out of having a ramp-up, how will my

personal desktops get started?
If you choose not to have personal desktops started by autoscale during the ramp-up
phase, autoscale won't start your personal desktops. Instead you must either enable
Start VM on Connect to ensure that personal desktops start up when users sign into
them or manually start up the personal desktops yourself.

Can I configure autoscale to force users to sign

out of their personal desktop?
No. Autoscale for personal desktops only deallocates session hosts if the user has
signed out of their user session.
What is the difference between a disconnected
user session and a user session that has been
signed out?
For more information, see User session definitions.

Does autoscale for personal desktops overwrite

the drain mode of session hosts?
No. When autoscale is ready to deallocate a personal desktop due to the user session
being signed out or disconnected, autoscale doesn't put the session host in drain mode.
If the user tries to connect while autoscale is deallocating the session host, they'll
receive an error message that says "No resources available."

What happens if I opt for personal desktops to

get hibernated in my scaling plan, but my
personal desktops don't have hibernate enabled?
If you opt to have personal desktops hibernated in your personal scaling plan schedule,
but the personal desktops don't have hibernate enabled, autoscale won't do anything to
your session hosts (won't hibernate them and won't deallocate them).

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Create and assign an autoscale scaling
plan for Azure Virtual Desktop
Article • 11/21/2024

） Important

Dynamic autoscaling for pooled host pools with session host configuration is
currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure
Previews for legal terms that apply to Azure features that are in beta, preview, or
otherwise not yet released into general availability.

Autoscale lets you scale your session host virtual machines (VMs) in a host pool up or
down according to schedule to optimize deployment costs.

When using autoscale, you can choose from two different scaling methods: power
management or dynamic. To learn more about autoscale, see Autoscale scaling plans
and example scenarios in Azure Virtual Desktop.

７ Note

Azure Virtual Desktop (classic) doesn't support autoscale.

You can't use autoscale and scale session hosts using Azure Automation and
Azure Logic Apps on the same host pool. You must use one or the other.
Power management autoscaling is available in Azure and Azure Government.
Dynamic autoscaling is only available in Azure and isn't supported in Azure
Government.

For best results, we recommend using autoscale with session hosts you deployed with
Azure Virtual Desktop Azure Resource Manager templates or first-party tools from
Microsoft.

Prerequisites
To use a power management scaling plan, make sure you follow these guidelines:

Scaling plan configuration data must be stored in the same region as the host pool
configuration. Deploying session host VMs is supported in all Azure regions.
 When using autoscale for pooled host pools, you must have a configured
MaxSessionLimit parameter for that host pool. Don't use the default value. You can
configure this value in the host pool settings in the Azure portal or run the New-
AzWvdHostPool or Update-AzWvdHostPool PowerShell cmdlets.

You must grant Azure Virtual Desktop access to manage the power state of your
session host VMs. You must have the
Microsoft.Authorization/roleAssignments/write permission on your subscriptions

in order to assign the role-based access control (RBAC) role for the Azure Virtual
Desktop service principal on those subscriptions. This is part of User Access
Administrator and Owner built in roles.

If you want to use personal desktop autoscale with hibernation, you'll need to
enable the hibernation feature for VMs in your personal host pool. FSLogix and
app attach currently don't support hibernate. Don't enable hibernate if you're
using FSLogix or app attach for your personal host pools. For more information on
using hibernation, including how hibernation works, limitations, and prerequisites,
see Hibernation for Azure virtual machines.

If you're using PowerShell to create and assign your scaling plan, you need module
Az.DesktopVirtualization version 4.2.0 or later.

If you're configuring a time limit policy, you'll need:

For Intune: a Microsoft Entra ID account that is assigned the Policy and Profile
manager built-in RBAC role and a group containing the devices you want to
configure.
For Group Policy: a domain account that has permission to create or edit Group
Policy objects and a security group or organizational unit (OU) containing the
devices you want to configure.

Assign permissions to the Azure Virtual

Desktop service principal
Before creating your first scaling plan, you'll need to assign the Desktop Virtualization
Power On Off Contributor RBAC role to the Azure Virtual Desktop service principal with
your Azure subscription as the assignable scope. Assigning this role at any level lower
than your subscription, such as the resource group, host pool, or VM, will prevent
autoscale from working properly.

You need to add each Azure subscription as an assignable scope that contains host
pools and session host VMs you want to use with autoscale. This role and assignment
allows Azure Virtual Desktop to manage the power state of any VMs in those
subscriptions. It also lets the service apply actions on both host pools and VMs when
there are no active user sessions.

To learn how to assign the Desktop Virtualization Power On Off Contributor role to the
Azure Virtual Desktop service principal, see Assign Azure RBAC roles or Microsoft Entra
roles to the Azure Virtual Desktop service principals.

Create a scaling plan

Azure portal

Now that you've assigned the Desktop Virtualization Power On Off Contributor role
to the service principal on your subscriptions, you can create a scaling plan. To
create a scaling plan using the portal:

1. Sign in to the Azure portal .

2. In the search bar, type Azure Virtual Desktop and select the matching service
entry.

3. Select Scaling Plans, then select Create.

4. In the Basics tab, complete the following information:

ﾉ Expand table

Parameter Value/Description

Subscription Select the subscription you want to create the host pool in from the
drop-down list.

Resource Select an existing resource group or select Create new and enter a
group name.

Scaling plan Enter a name for the scaling plan. Optionally, you can also add a
name "friendly" name that will be displayed to your users and a description
for your plan.

Location Select the Azure region where you want to create your scaling plan.

Time zone Select the time zone you'll use with your plan.

Host pool Select the type of host pool that you want your scaling plan to apply
type to.

Exclusion tag Enter a tag name for VMs you don't want to include in scaling
operations. For example, you might want to tag VMs that are set to
 Parameter Value/Description

drain mode so that autoscale doesn't override drain mode during

maintenance using the exclusion tag "excludeFromScaling". If you've
set "excludeFromScaling" as the tag name field on any of the VMs in
the host pool, autoscale won't start, stop, or change the drain mode of
those particular VMs.

Scaling This option appears if you selected Pooled for Host pool type. Select
method Power management autoscaling.

７ Note

Though an exclusion tag will exclude the tagged VM from power

management scaling operations, tagged VMs will still be considered
as part of the calculation of the minimum percentage of hosts.
Make sure not to include any sensitive information in the exclusion
tags such as user principal names or other personally identifiable
information.

5. Select Next, which should take you to the Schedules tab. Schedules let you
define when autoscale turns VMs on and off throughout the day. The schedule
parameters are different based on the Host pool type you chose for the
scaling plan.

Pooled host pools

In each phase of the schedule, autoscale only turns off VMs when in doing so
the used host pool capacity won't exceed the capacity threshold. The default
values you see when you try to create a schedule are the suggested values for
weekdays, but you can change them as needed.

To create or change a schedule:

a. In the Schedules tab, select Add schedule and complete the following
information:

ﾉ Expand table

Parameter Value/Description

Schedule name Enter a name for your schedule.

 Parameter Value/Description

Repeat on Select which days your schedule will repeat on.

b. In the Ramp up tab, fill out the following fields:

ﾉ Expand table

Parameter Value/Description

Start time Select a time from the drop-down menu to start preparing VMs for
peak business hours.

Load We recommend selecting breadth-first algorithm. Breadth-first

balancing load balancing will distribute users across existing VMs to keep
algorithm access times fast. The load balancing preference you select here
will override the one you selected for your original host pool
settings.

Minimum Enter the percentage of session hosts you want to always remain
percentage on in this phase. If the percentage you enter isn't a whole number,
of hosts it's rounded up to the nearest whole number. For example, in a
host pool of seven session hosts, if you set the minimum
percentage of hosts during ramp-up hours to 10%, one VM will
always stay on during ramp-up hours, and it won't be turned off by
autoscale.

Capacity Enter the percentage of available host pool capacity that will
threshold trigger a scaling action to take place. For example, if two session
hosts in the host pool with a max session limit of 20 are turned on,
the available host pool capacity is 40. If you set the capacity
threshold to 75% and the session hosts have more than 30 user
sessions, autoscale will turn on a third session host. This will then
change the available host pool capacity from 40 to 60.

c. In the Peak hours tab, fill out the following fields:

ﾉ Expand table

Parameter Value/Description

Start time Enter a start time for when your usage rate is highest during the day.
Make sure the time is in the same time zone you specified for your
scaling plan. This time is also the end time for the ramp-up phase.

Load Select breadth-first or depth-first load balancing. Breadth-first load

balancing balancing distributes new user sessions across all available session
hosts in the host pool. Depth-first load balancing distributes new
sessions to any available session host with the highest number of
 Parameter Value/Description

connections that hasn't reached its session limit yet.

For more information about load-balancing types, see Configure the

Azure Virtual Desktop load-balancing method.

７ Note

You can't change the capacity threshold here. Instead, the setting you
entered in Ramp-up will carry over to this setting.

d. For Ramp-down, you'll enter values into similar fields to Ramp-up, but this
time it will be for when your host pool usage drops off. This will include the
following fields:

Start time
Load-balancing algorithm
Minimum percentage of hosts (%)
Capacity threshold (%)
Force logoff users

） Important

If you've enabled autoscale to force users to sign out during

ramp-down, the feature will choose the session host with the
lowest number of user sessions (active and disconnected) to shut
down. Autoscale will put the session host in drain mode, send
those user sessions a notification telling them they'll be signed
out, and then sign out those users after the specified wait time is
over. After autoscale signs out those user sessions, it then
deallocates the VM.

If you haven't enabled forced sign out during ramp-down, you

then need to choose whether you want to shut down ‘VMs have
no active or disconnected sessions’ or ‘VMs have no active
sessions’ during ramp-down.

Whether you’ve enabled autoscale to force users to sign out

during ramp-down or not, the capacity threshold and the
minimum percentage of hosts are still respected, autoscale will
 only shut down VMs if all existing user sessions (active and
disconnected) in the host pool can be consolidated to fewer VMs
without exceeding the capacity threshold.

You can also configure a time limit policy that will apply to all
phases to sign out all disconnected users to reduce the used
host pool capacity. For more information, see Configure a time
limit policy.

e. Likewise, Off-peak hours works the same way as Peak hours:

Start time, which is also the end of the ramp-down period.

Load-balancing algorithm. We recommend choosing depth-first to
gradually reduce the number of session hosts based on sessions on
each VM.
Just like peak hours, you can't configure the capacity threshold here.
Instead, the value you entered in Ramp-down carries over.

Personal host pools

In each phase of the schedule, define whether VMs should be deallocated
based on the user session state.

To create or change a schedule:

a. In the Schedules tab, select Add schedule and complete the following
information:

ﾉ Expand table

Parameter Value/Description

Schedule name Enter a name for your schedule.

Repeat on Select which days your schedule will repeat on.

b. In the Ramp up tab, fill out the following fields:

ﾉ Expand table
 Parameter Value/Description

Start time Select the time you want the ramp-up phase to start from the drop-
down menu.

Start VM on Select whether you want Start VM on Connect to be enabled during

Connect ramp up.

We highly recommend that you enable Start VM on Connect if you

choose not to start your VMs during the ramp-up phase.

VMs to start Select whether you want only personal desktops that have a user
assigned to them at the start time to be started, you want all
personal desktops in the host pool (regardless of user assignment)
to be started, or you want no personal desktops in the pool to be
started.

Disconnect For When disconnected for (min), specify the number of minutes a
settings user session has to be disconnected before performing a specific
action. This number can be anywhere between 0 and 360.

For Perform, specify what action the service should take after a user
session has been disconnected for the specified time. The options
are to either deallocate (shut down) the VMs, hibernate the
personal desktop, or do nothing.

Sign out For When logged off for (min), specify the number of minutes a
settings user session has to be logged off before performing a specific
action. This number can be anywhere between 0 and 360.

For Perform, specify what action the service should take after a user
session has been logged off for the specified time. The options are
to either deallocate (shut down) the VMs, hibernate the personal
desktop, or do nothing.

c. In the Peak hours, Ramp-down, and Off-peak hours tabs, fill out the
following fields:

ﾉ Expand table

Parameter Value/Description

Start time Enter a start time for each phase. This time is also the end time for
the previous phase.

Start VM on Select whether you want Start VM on Connect to be enabled during

Connect that phase.
 Parameter Value/Description

Disconnect For When disconnected for (min), specify the number of minutes a
settings user session has to be disconnected before performing a specific
action. This number can be anywhere between 0 and 360.

For Perform, specify what action the service should take after a
user session has been disconnected for the specified time. The
options are to either deallocate (shut down) the VMs, hibernate the
personal desktop, or do nothing.

Sign out For When logged off for (min), specify the number of minutes a
settings user session has to be logged off before performing a specific
action. This number can be anywhere between 0 and 360.

For Perform, specify what action the service should take after a
user session has been logged off for the specified time. The options
are to either deallocate (shut down) the VMs, hibernate the
personal desktop, or do nothing.

6. Select Next to take you to the Host pool assignments tab. Select the check
box next to each host pool you want to include. If you don't want to enable
autoscale, unselect all check boxes. You can always return to this setting later
and change it. You can only assign the scaling plan to host pools that match
the host pool type specified in the plan.

７ Note

When you create or update a scaling plan that's already assigned to

host pools, its changes will be applied immediately.

7. After that, you'll need to enter tags. Tags are name and value pairs that
categorize resources for consolidated billing. You can apply the same tag to
multiple resources and resource groups. To learn more about tagging
resources, see Use tags to organize your Azure resources.

７ Note

If you change resource settings on other tabs after creating tags, your
tags will be automatically updated.
 8. Once you're done, go to the Review + create tab and select Create to create
and assign your scaling plan to the host pools you selected.

Configure a time limit policy

You can configure a time limit policy that will sign out all disconnected users once a set
time is reached to reduce the used host pool capacity using Microsoft Intune or Group
Policy. Select the relevant tab for your scenario.

Microsoft Intune

To configure a time limit policy using Intune:

1. Sign in to the Microsoft Intune admin center .

2. Create or edit a configuration profile for Windows 10 and later devices, with
the Session Time Limits profile type.

3. In the settings picker, browse to Administrative templates > Windows

Components > Remote Desktop Services > Remote Desktop Session Host >
Session Time Limits.

4. Check the box for Set time limit for disconnected sessions, then close the
settings picker.

5. Expand the Administrative templates category, then toggle the switch for Set
time limit for disconnected sessions to Enabled, then select a time value from
the drop-down list.

6. Select Next.

7. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.

8. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.

9. On the Review + create tab, review the settings, then select Create.

10. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.
Edit an existing scaling plan
Select the relevant tab for your scenario.

Azure portal

To edit an existing scaling plan using the Azure portal:

1. Sign in to the Azure portal .

2. In the search bar, type Azure Virtual Desktop and select the matching service
entry.

3. Select Scaling plans, then select the name of the scaling plan you want to edit.
The overview blade of the scaling plan should open.

4. To change the scaling plan host pool assignments, under the Manage heading
select Host pool assignments and then select + Assign. Select the host pools
you want to assign the scaling plan to and select Assign. The host pools must
be in the same Azure region as the scaling plan and the scaling plan's host
pool type must match the type of host pools you're trying to assign it to.

 Tip

If you've enabled the scaling plan during deployment, then you'll also
have the option to disable the plan for the selected host pool in the
Scaling plan menu by unselecting the Enable autoscale checkbox, as
shown in the following screenshot.

5. To edit schedules, under the Manage heading, select Schedules.

 6. To edit the plan's friendly name, description, time zone, or exclusion tags, go
to the Properties tab.

Next steps
Now that you've created your scaling plan, here are some things you can do:

Monitor Autoscale operations with Insights

If you'd like to learn more about terms used in this article, check out our autoscale
glossary. For examples of how autoscale works, see Autoscale example scenarios. You
can also look at our Autoscale FAQ if you have other questions.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Monitor Autoscale operations with
Insights in Azure Virtual Desktop
Article • 04/09/2024

Autoscale lets you scale your session host virtual machines (VMs) in a host pool up or
down according to schedule to optimize deployment costs. Autoscale diagnostic data,
integrated with Insights in Azure Virtual Desktop, enables you to monitor scaling
operations, identify issues that need to be fixed, and recognize opportunities to
optimize your scaling plan configuration to save cost.

To learn more about autoscale, see Autoscale scaling plans and example scenarios, and
for Insights in Azure Virtual Desktop, see Enable Insights to monitor Azure Virtual
Desktop.

７ Note

You can only monitor Autoscale operations with Insights with pooled host pools.
For personal host pools, see Set up diagnostics for Autoscale in Azure Virtual
Desktop.

Prerequisites
Before you can monitor Autoscale operations with Insights, you need:

A pooled host pool with a scaling plan assigned. Personal host pools aren't
supported.

Insights configured for your host pool and its related workspace. To learn how to
configure Insights, see Enable Insights to monitor Azure Virtual Desktop.

An Azure account that is assigned the following role-based access control (RBAC)
roles, depending on your scenario:

ﾉ Expand table

Scenario RBAC roles Scope

Configure Desktop Assigned on the resource group or subscription

diagnostic Virtualization for your host pools, workspaces, and session hosts.
settings Contributor
 Scenario RBAC roles Scope

View and query Desktop - Desktop Virtualization Reader assigned on the

data Virtualization resource group or subscription where the host
Reader pools, workspaces, and session hosts are.

Log Analytics - Log Analytics Reader assigned on any Log

Reader Analytics workspace used for Azure Virtual
Desktop Insights.1

1. You can also create a custom role to reduce the scope of assignment on the Log Analytics workspace. For

more information, see Manage access to Log Analytics workspaces.

Configure diagnostic settings and verify

Insights workbook configuration
First, you need to make sure that diagnostic settings are configured to send the
necessary logs from your host pool and workspace to your Log Analytics workspace.

Enable Autoscale logs for a host pool

In addition to existing host pool logs that you're already sending to a Log Analytics
workspace, you also need to send Autoscale logs for a host pool:

1. Sign in to the Azure portal .

2. In the search bar, type Azure Virtual Desktop and select the matching service entry.

3. From the Azure Virtual Desktop overview page, select Host pools, then select the
pooled host pool for which you want to enable Autoscale logs.

4. From the host pool overview page, select Diagnostic settings.

5. Select Add diagnostic setting, or select an existing diagnostic setting to edit.

6. Select the following categories as a minimum. If you already have some of these
categories selected for this host pool as part of this diagnostic setting or an
existing one, don't select them again, otherwise you get an error when you save
the diagnostic setting.

Checkpoint
Error
Management
Connection
 HostRegistration
AgentHealthStatus
Autoscale logs for pooled host pools

7. For Destination details, select Send to Log Analytics workspace.

8. Select Save.

Verify workspace logs

Verify that you're already sending the required logs for a workspace to a Log Analytics
workspace:

1. From the Azure Virtual Desktop overview page, select Workspaces, then select the
related workspace for the host pool you're monitoring.

2. From the workspace overview page, select Diagnostic settings.

3. Select Edit setting.

4. Make sure the following categories are enabled.

Checkpoint
Error
Management
Feed

5. For Destination details, ensure you're sending data to the same Log Analytics
workspace as the host pool.

6. If you made changes, select Save.

Verify Insights workbook configuration

You need to verify that your Insights workbook is configured correctly for your host
pool:

1. From the Azure Virtual Desktop overview page, select Host pools, then select the
pooled host pool you're monitoring.

2. From the host pool overview page, select Insights if you're using the Azure
Monitor Agent on your session hosts, or Insights (Legacy) if you're using the Log
Analytics Agent on your session hosts.
 3. Ensure there aren't outstanding configuration issues. If there are, you see
messages such as:

Azure Monitor is not configured for session hosts.

Azure Monitor is not configured for the selected AVD host pool.
There are session hosts not sending data to the expected Log Analytics
workspace.

You need to complete the configuration in the relevant workbook to resolve these
issues. For more information, see Enable Insights to monitor Azure Virtual Desktop.
When there are no configuration issues, Insights should look similar to the
following image:

View Autoscale insights

After you configured your diagnostic settings and verified your Insights workbook
configuration, you can view Autoscale insights:

1. From the Azure Virtual Desktop overview page, select Host pools, then select the
pooled host pool for which you want to view Autoscale insights.

2. From the host pool overview page, select Insights if you're using the Azure
Monitor Agent on your session hosts, or Insights (Legacy) if you're using the Log
Analytics Agent on your session hosts.

3. Select Autoscale from the row of tabs. Depending on your display's width, you
might need to select the ellipses ... button to show the full list with Autoscale.
 4. Insights shows information about the Autoscale operations for your host pool,
such as a graph of the change in power state of your session hosts in the host pool
over time, and summary information.

Queries for Autoscale data in Log Analytics

For additional information about Autoscale operations, you can use run queries against
the data in Log Analytics. The data is written to the WVDAutoscaleEvaluationPooled table.
The following sections contain the schema and some example queries. To learn how to
run queries in Log Analytics, see Log Analytics tutorial.
WVDAutoscaleEvaluationPooled Schema
The following table details the schema for the WVDAutoscaleEvaluationPooled table,
which contains the results of an Autoscale scaling plan evaluation on a host pool. The
information includes the actions Autoscale took on the session hosts, such as starting or
deallocating them, and why it took those actions. The entries that start with Config
contain the scaling plan configuration values for an Autoscale schedule phase. If the
ResultType value is Failed, join to the WVDErrors table using the CorrelationId to get
more details.

ﾉ Expand table

Name Type Description

ActiveSessionHostCount Int Number of session hosts accepting user

connections.

ActiveSessionHostsPercent Double Percent of session hosts in the host pool

considered active by Autoscale.

ConfigCapacityThresholdPercent Double Capacity threshold percent.

ConfigMinActiveSessionHostsPercent Double Minimum percent of session hosts that should

be active.

ConfigScheduleName String Name of schedule used in the evaluation.

ConfigSchedulePhase String Schedule phase at the time of evaluation.

CorrelationId String A GUID generated for this Autoscale

evaluation.

ExcludedSessionHostCount Int Number of session hosts excluded from

Autoscale management.

MaxSessionLimitPerSessionHost Int The MaxSessionLimit value defined on the

host pool. This value is the maximum number
of user sessions allowed per session host.

Properties Dynamic Additional information.

ResultType String Status of this evaluation event.

ScalingEvaluationStartTime DateTime The timestamp (UTC) when the Autoscale

evaluation started.

ScalingPlanResourceId String Resource ID of the Autoscale scaling plan.

 Name Type Description

ScalingReasonMessage String The actions Autoscale decided to perform and

why it took those actions.

SessionCount Int Number of user sessions; only the user

sessions from session hosts that are
considered active by Autoscale are included.

SessionOccupancyPercent Double Percent of session host capacity occupied by

user sessions.

TimeGenerated DateTime The timestamp (UTC) this event was

generated.

TotalSessionHostCount Int Number of session hosts in the host pool.

UnhealthySessionHostCount Int Number of session hosts in a faulty state.

Sample of data
The following query returns the 10 most recent rows of data for Autoscale:

Kusto

WVDAutoscaleEvaluationPooled
| take 10

Failed evaluations with WVDErrors

The following query correlates the tables WVDAutoscaleEvaluationPooled and WVDErrors
and returns entries where the ServiceError column in WVDErrors is false:

The following query returns Autoscale evaluations that failed, including those that
partially failed. The query also joins to WVDErrors to provide more failure details where
available. The corresponding entries in WVDErrors only contain results where
ServiceError is false:

Kusto

WVDAutoscaleEvaluationPooled
| where ResultType != "Succeeded"
| join kind=leftouter WVDErrors
on CorrelationId
 | order by _ResourceId asc, TimeGenerated asc, CorrelationId, TimeGenerated1
asc

Start, deallocate, and force logoff operations

The following query returns the number of attempted operations of session host start,
session host deallocate, and user session force logoff per host pool, schedule name,
schedule phase, and day:

Kusto

WVDAutoscaleEvaluationPooled
| where ResultType == "Succeeded"
| extend properties = parse_json(Properties)
| extend BeganStartVmCount = toint(properties.BeganStartVmCount)
| extend BeganDeallocateVmCount = toint(properties.BeganDeallocateVmCount)
| extend BeganForceLogoffOnSessionHostCount =
toint(properties.BeganForceLogoffOnSessionHostCount)
| summarize sum(BeganStartVmCount), sum(BeganDeallocateVmCount),
sum(BeganForceLogoffOnSessionHostCount) by _ResourceId, bin(TimeGenerated,
1d), ConfigScheduleName, ConfigSchedulePhase
| order by _ResourceId asc, TimeGenerated asc, ConfigScheduleName,
ConfigSchedulePhase asc

Maximum session occupancy and active session hosts

The following query returns the maximum session occupancy percent, session count,
active session hosts percent, and active session host count per host pool, schedule
name, schedule phase, and day:

Kusto

WVDAutoscaleEvaluationPooled
| where ResultType == "Succeeded"
| summarize max(SessionOccupancyPercent), max(SessionCount),
max(ActiveSessionHostsPercent), max(ActiveSessionHostCount) by _ResourceId,
bin(TimeGenerated, 1d), ConfigScheduleName, ConfigSchedulePhase
| order by _ResourceId asc, TimeGenerated asc, ConfigScheduleName,
ConfigSchedulePhase asc

Related content
For more information about the time for log data to become available after collection,
see Log data ingestion time in Azure Monitor.
Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Set up diagnostics for Autoscale in
Azure Virtual Desktop
Article • 04/09/2024

Diagnostics lets you monitor potential issues and fix them before they interfere with
your Autoscale scaling plan.

Currently, you can either send diagnostic logs for Autoscale to an Azure Storage account
or consume logs with Microsoft Azure Event Hubs. If you're using an Azure Storage
account, make sure it's in the same region as your scaling plan. Learn more about
diagnostic settings at Create diagnostic settings. For more information about resource
log data ingestion time, see Log data ingestion time in Azure Monitor.

 Tip

For pooled host pools, we recommend you use Autoscale diagnostic data
integrated with Insights in Azure Virtual Desktop, which providing a more
comprehensive view of your Autoscale operations. For more information, see
Monitor Autoscale operations with Insights in Azure Virtual Desktop.

Enable diagnostics for scaling plans

To enable diagnostics for your scaling plan:

1. Open the Azure portal .

2. In the search bar, type Azure Virtual Desktop and select the matching service entry.

3. Select Scaling plans, then select the scaling plan you'd like the report to track.

4. Go to Diagnostic Settings and select Add diagnostic setting.

5. Enter a name for the diagnostic setting.

6. Next, select Autoscale logs and choose either Archive to a storage account or
Stream to an event hub depending on where you want to send the report.

7. Select Save.

７ Note
 If you select Archive to a storage account, you'll need to Migrate from diagnostic
settings storage retention to Azure Storage lifecycle management.

Find Autoscale diagnostic logs in Azure Storage

After you've configured your diagnostic settings, you can find the logs by following
these instructions:

1. In the Azure portal, go to the storage account you sent the diagnostic logs to.

2. Select Containers and open the folder called insight-logs-autoscaling.

3. Within the insight-logs-autoscaling folder select the subscription, resource group,

scaling plan, and date until you see the JSON file. Select the JSON file and
download it to your local computer.

4. Finally, open the JSON file in the text editor of your choice.

View diagnostic logs

Now that you've opened the JSON file, let's do a quick overview of what each piece of
the report means:

The CorrelationID is the ID that you need to show when you create a support case.

OperationName is the type of operation running while the issue happened.

ResultType is the result of the operation. This item can show you where issues are
if you notice any incomplete results.

Message is the error message that provides information on the incomplete

operation. This message can include links to important troubleshooting
documentation, so review it carefully.

The following JSON file is an example of what you'll see when you open a report:

JSON

{
"host_Ring": "R0",
"Level": 4,
"ActivityId": "c1111111-1111-1111-b111-11111cd1ba1b1",
"time": "2021-08-31T16:00:46.5246835Z",
"resourceId": "/SUBSCRIPTIONS/AD11111A-1C21-1CF1-A7DE-
CB1111E1D111/RESOURCEGROUPS/TEST/PROVIDERS/MICROSOFT.DESKTOPVIRTUALIZATION/S
 CALINGPLANS/TESTPLAN",
"operationName": "HostPoolLoadBalancerTypeUpdated",
"category": "Autoscale",
"resultType": "Succeeded",
"level": "Informational",
"correlationId": "35ec619b-b5d8-5b5f-9242-824aa4d2b878",
"properties": {
"Message": "Host pool's load balancing algorithm updated",
"HostPoolArmPath": "/subscriptions/AD11111A-1C21-1CF1-A7DE-
CB1111E1D111/resourcegroups/test/providers/microsoft.desktopvirtualization/h
ostpools/testHostPool ",
"PreviousLoadBalancerType": "BreadthFirst",
"NewLoadBalancerType": "DepthFirst"
}
}

Next steps
Review how to create a scaling plan at Autoscale for Azure Virtual Desktop session
hosts.
Assign your scaling plan to new or existing host pools.
Learn more about terms used in this article at our autoscale glossary.
For examples of how autoscale works, see Autoscale example scenarios.
View our autoscale FAQ to answer commonly asked questions.
Scale session hosts using Azure
Automation and Azure Logic Apps for
Azure Virtual Desktop
Article • 11/15/2023

You can reduce your total Azure Virtual Desktop deployment cost by scaling your virtual
machines (VMs). This means shutting down and deallocating session host VMs during
off-peak usage hours, then turning them back on and reallocating them during peak
hours.

In this article, you'll learn about the scaling tool built with the Azure Automation account
and Azure Logic Apps that automatically scales session host VMs in your Azure Virtual
Desktop environment. To learn how to use the scaling tool, see Set up scaling of session
hosts using Azure Automation and Azure Logic Apps.

７ Note

Azure Virtual Desktop's native Autoscale solution is generally available for pooled
and personal host pool(s) and will automatically scale in or out session host VMs
based on scaling schedule. We recommend using Autoscale for easier
configuration. For more information, see Autoscale scaling plans.

How the scaling tool works

The scaling tool provides a low-cost automation option for customers who want to
optimize their session host VM costs.

You can use the scaling tool to:

Schedule VMs to start and stop based on peak and off-peak business hours.
Scale out VMs based on number of sessions per CPU core.
Scale in VMs during off-peak hours, leaving the minimum number of session host
VMs running.

The scaling tool uses a combination of an Azure Automation account, a PowerShell

runbook, a webhook, and a Logic App to function. When the tool runs, the Logic App
calls a webhook to start the runbook. The runbook then creates a job.

Peak and off-peak hours are defined as:

 Peak: The time when maximum user session concurrency is expected to be
reached.
Off-peak: The time when minimum user session concurrency is expected to be
reached.

During peak usage time, the job checks the current number of sessions and the VM
capacity of the current running session host for each host pool. It uses this information
to calculate if the running session host VMs can support existing sessions based on the
SessionThresholdPerCPU parameter defined for the CreateOrUpdateAzLogicApp.ps1 file.
If the session host VMs can't support existing sessions, the job starts extra session host
VMs in the host pool.

７ Note

SessionThresholdPerCPU doesn't restrict the number of sessions on the VM. This

parameter only determines when new VMs need to be started to load-balance the
connections. To restrict the number of sessions, you need to follow the instructions
Update-AzWvdHostPool to configure the MaxSessionLimit parameter accordingly.

During the off-peak usage time, the job determines how many session host VMs should
be shut down based on the MinimumNumberOfRDSH parameter. If you set the
LimitSecondsToForceLogOffUser parameter to a non-zero positive value, the job will set
the session host VMs to drain mode to prevent new sessions from connecting to the
hosts. The job will then notify any currently signed in users to save their work, wait the
configured amount of time, and then force the users to sign out. Once all user sessions
on the session host VM have been signed out, the job will shut down the VM. After the
VM shuts down, the job will reset its session host drain mode.

７ Note

If you manually set the session host VM to drain mode, the job won't manage the
session host VM. If the session host VM is running and set to drain mode, it will be
treated as unavailable, which will make the job start additional VMs to handle the
load. We recommend you tag any Azure VMs before you manually set them to
drain mode. You can name the tag with the MaintenanceTagName parameter when
you create Azure Logic App Scheduler later. Tags will help you distinguish these
VMs from the ones the scaling tool manages. Setting the maintenance tag also
prevents the scaling tool from making changes to the VM until you remove the tag.
If you set the LimitSecondsToForceLogOffUser parameter to zero, the job allows the
session configuration setting in specified group policies to handle signing off user
sessions. To see these group policies, go to Computer Configuration > Policies >
Administrative Templates > Windows Components > Remote Desktop Services >
Remote Desktop Session Host > Session Time Limits. If there are any active sessions on
a session host VM, the job will leave the session host VM running. If there aren't any
active sessions, the job will shut down the session host VM.

At any time, the job also takes host pool's MaxSessionLimit into account to determine if
the current number of sessions is more than 90% of the maximum capacity. If it is, the
job will start extra session host VMs.

The job runs periodically based on a set recurrence interval. You can change this interval
based on the size of your Azure Virtual Desktop environment, but remember that
starting and shutting down VMs can take some time, so remember to account for the
delay. We recommend setting the recurrence interval to every 15 minutes.

However, the tool also has the following limitations:

This solution applies only to pooled multi-session session host VMs.

This solution manages VMs in any region, but can only be used in the same
subscription as your Azure Automation account and Azure Logic App.
The maximum runtime of a job in the runbook is 3 hours. If starting or stopping
the VMs in the host pool takes longer than that, the job will fail. For more
information, see Shared resources.
At least one VM or session host needs to be turned on for the scaling algorithm to
work properly.
The scaling tool doesn't support scaling based on CPU or memory.
Scaling only works with existing hosts in the host pool. The scaling tool doesn't
support scaling new session hosts.

７ Note

The scaling tool controls the load balancing mode of the host pool it's currently
scaling. The tool uses breadth-first load balancing mode for both peak and off-
peak hours.

Next steps
Learn how to set up scaling of session hosts using Azure Automation and Azure
Logic Apps.
Set up scaling tool using Azure
Automation and Azure Logic Apps for
Azure Virtual Desktop
Article • 11/01/2023

In this article, you'll learn about the scaling tool that uses an Azure Automation runbook
and Azure Logic App to automatically scale session host VMs in your Azure Virtual
Desktop environment. To learn more about the scaling tool, see Scale session hosts
using Azure Automation and Azure Logic Apps.

７ Note

Azure Virtual Desktop's native Autoscale solution is generally available for

pooled and personal host pool(s) and will automatically scale in or out session
host VMs based on scaling schedule. We recommend using Autoscale for
easier configuration. For more information, see Autoscale scaling plans.

You can't scale session hosts using Azure Automation and Azure Logic Apps
together with autoscale on the same host pool. You must use one or the
other.

Prerequisites
Before you start setting up the scaling tool, make sure you have the following things
ready:

An Azure Virtual Desktop host pool.

Session host pool VMs configured and registered with the Azure Virtual Desktop
service.
A user with the Contributor role-based access control (RBAC) role assigned on the
Azure subscription to create the resources. You'll also need the Application
administrator and/or Owner RBAC role to create a managed identity.
A Log Analytics workspace (optional).

The machine you use to deploy the tool must have:

PowerShell 5.1 or later

The Azure Az PowerShell module
If you have everything ready, let's get started.

Create or update an Azure Automation account

７ Note

If you already have an Azure Automation account with a runbook running an older
version of the scaling script, all you need to do is follow the instructions below to
make sure it's updated.

First, you'll need an Azure Automation account to run the PowerShell runbook. The
process this section describes is valid even if you have an existing Azure Automation
account that you want to use to set up the PowerShell runbook. Here's how to set it up:

1. Open PowerShell.

2. Run the following cmdlet to sign in to your Azure account.

PowerShell

Login-AzAccount

７ Note

Your account must have contributor rights on the Azure subscription where
you want to deploy the scaling tool.

3. Run the following cmdlet to download the script for creating the Azure
Automation account:

PowerShell

New-Item -ItemType Directory -Path "C:\Temp" -Force

Set-Location -Path "C:\Temp"
$Uri = "https://raw.githubusercontent.com/Azure/RDS-
Templates/master/wvd-templates/wvd-scaling-
script/CreateOrUpdateAzAutoAccount.ps1"
# Download the script
Invoke-WebRequest -Uri $Uri -OutFile
".\CreateOrUpdateAzAutoAccount.ps1"
4. Run the following cmdlet to execute the script and create the Azure Automation
account. You can either fill in values for the parameters or comment them to use
their defaults.

PowerShell

$Params = @{
"AADTenantId" = "<Azure_Active_Directory_tenant_ID>" #
Optional. If not specified, it will use the current Azure context
"SubscriptionId" = "<Azure_subscription_ID>" #
Optional. If not specified, it will use the current Azure context
"UseARMAPI" = $true
"ResourceGroupName" = "<Resource_group_name>" #
Optional. Default: "WVDAutoScaleResourceGroup"
"AutomationAccountName" = "<Automation_account_name>" #
Optional. Default: "WVDAutoScaleAutomationAccount"
"Location" = "<Azure_region_for_deployment>"
"WorkspaceName" = "<Log_analytics_workspace_name>" #
Optional. If specified, Log Analytics will be used to configure the
custom log table that the runbook PowerShell script can send logs to
}

.\CreateOrUpdateAzAutoAccount.ps1 @Params

７ Note

If your policy doesn't let you create scaling script resources in a specific
region, update the policy assignment and add the region you want to the list
of allowed regions.

5. If you haven't created an automation account before, the cmdlet's output will
include an encrypted webhook URI in the automation account variable. Make sure
to keep a record of the URI because you'll use it as a parameter when you set up
the execution schedule for the Azure Logic App. If you're updating an existing
automation account, you can retrieve the webhook URI using PowerShell to access
variables.

6. If you specified the parameter WorkspaceName for Log Analytics, the cmdlet's
output will also include the Log Analytics Workspace ID and its Primary Key. Make
a note of the Workspace ID and Primary Key because you'll need to use them
again later with parameters when you set up the execution schedule for the Azure
Logic App.

7. After you've set up your Azure Automation account, sign in to your Azure
subscription and check to make sure your Azure Automation account and the
 relevant runbook have appeared in your specified resource group, as shown in the
following image:

To check if your webhook is where it should be, select the name of your runbook.
Next, go to your runbook's Resources section and select Webhooks.

Create a managed identity

Now that you have an Azure Automation account, you'll also need to set up a managed
identity if you haven't already. Managed identities will help your runbook access other
Microsoft Entra related resources as well as authenticate important automation
processes.

To set up a managed identity, follow the directions in Using a system-assigned managed

identity for an Azure Automation account. Once you've created a managed identity,
assign it with appropriate contributor permissions to Azure Virtual Desktop resources
such as host pools, VMs, etc. Once you're done, return to this article and Create the
Azure Logic App and execution schedule to finish the initial setup process.

） Important

As of April 1, 2023, Run As accounts no longer work. We recommend you use

managed identities instead. If you need help switching from your Run As account
to a managed identity, see Migrate from an existing Run As account to a
managed identity.

Autoscale is an alternative way to scale session host VMs and is a native feature of
Azure Virtual Desktop. We recommend you use Autoscale instead. For more
information, see Autoscale scaling plans.
Create the Azure Logic App and execution
schedule
Finally, you'll need to create the Azure Logic App and set up an execution schedule for
your new scaling tool. First, download and import the Desktop Virtualization PowerShell
module to use in your PowerShell session if you haven't already.

1. Open PowerShell.

2. Run the following cmdlet to sign in to your Azure account.

PowerShell

Login-AzAccount

3. Run the following cmdlet to download the script for creating the Azure Logic App.

PowerShell

New-Item -ItemType Directory -Path "C:\Temp" -Force

Set-Location -Path "C:\Temp"
$Uri = "https://raw.githubusercontent.com/Azure/RDS-
Templates/master/wvd-templates/wvd-scaling-
script/CreateOrUpdateAzLogicApp.ps1"
# Download the script
Invoke-WebRequest -Uri $Uri -OutFile ".\CreateOrUpdateAzLogicApp.ps1"

4. Run the following PowerShell script to create the Azure Logic App and execution
schedule for your host pool

７ Note

You'll need to run this script for each host pool you want to autoscale, but you
need only one Azure Automation account.

PowerShell

$AADTenantId = (Get-AzContext).Tenant.Id

$AzSubscription = Get-AzSubscription | Out-GridView -OutputMode:Single

-Title "Select your Azure Subscription"
Select-AzSubscription -Subscription $AzSubscription.Id

$ResourceGroup = Get-AzResourceGroup | Out-GridView -OutputMode:Single

-Title "Select the resource group for the new Azure Logic App"
$WVDHostPool = Get-AzResource -ResourceType
"Microsoft.DesktopVirtualization/hostpools" | Out-GridView -
OutputMode:Single -Title "Select the host pool you'd like to scale"

$LogAnalyticsWorkspaceId = Read-Host -Prompt "If you want to use Log

Analytics, enter the Log Analytics Workspace ID returned by when you
created the Azure Automation account, otherwise leave it blank"
$LogAnalyticsPrimaryKey = Read-Host -Prompt "If you want to use Log
Analytics, enter the Log Analytics Primary Key returned by when you
created the Azure Automation account, otherwise leave it blank"
$RecurrenceInterval = Read-Host -Prompt "Enter how often you'd like the
job to run in minutes, e.g. '15'"
$BeginPeakTime = Read-Host -Prompt "Enter the start time for peak hours
in local time, e.g. 9:00"
$EndPeakTime = Read-Host -Prompt "Enter the end time for peak hours in
local time, e.g. 18:00"
$TimeDifference = Read-Host -Prompt "Enter the time difference between
local time and UTC in hours, e.g. +5:30"
$SessionThresholdPerCPU = Read-Host -Prompt "Enter the maximum number
of sessions per CPU that will be used as a threshold to determine when
new session host VMs need to be started during peak hours"
$MinimumNumberOfRDSH = Read-Host -Prompt "Enter the minimum number of
session host VMs to keep running during off-peak hours"
$MaintenanceTagName = Read-Host -Prompt "Enter the name of the Tag
associated with VMs you don't want to be managed by this scaling tool"
$LimitSecondsToForceLogOffUser = Read-Host -Prompt "Enter the number of
seconds to wait before automatically signing out users. If set to 0,
any session host VM that has user sessions, will be left untouched"
$LogOffMessageTitle = Read-Host -Prompt "Enter the title of the message
sent to the user before they are forced to sign out"
$LogOffMessageBody = Read-Host -Prompt "Enter the body of the message
sent to the user before they are forced to sign out"

$WebhookURI = Read-Host -Prompt "Enter the webhook URI that has already
been generated for this Azure Automation account. The URI is stored as
encrypted in the above Automation Account variable. To retrieve the
value, see https://learn.microsoft.com/azure/automation/shared-
resources/variables?tabs=azure-powershell#powershell-cmdlets-to-access-
variables"

$Params = @{
"AADTenantId" = $AADTenantId
# Optional. If not specified, it will use the current Azure context
"SubscriptionID" = $AzSubscription.Id
# Optional. If not specified, it will use the current Azure context
"ResourceGroupName" = $ResourceGroup.ResourceGroupName
# Optional. Default: "WVDAutoScaleResourceGroup"
"Location" = $ResourceGroup.Location
# Optional. Default: "West US2"
"UseARMAPI" = $true
"HostPoolName" = $WVDHostPool.Name
"HostPoolResourceGroupName" = $WVDHostPool.ResourceGroupName
# Optional. Default: same as ResourceGroupName param value
"LogAnalyticsWorkspaceId" = $LogAnalyticsWorkspaceId
 # Optional. If not specified, script will not log to the Log Analytics
"LogAnalyticsPrimaryKey" = $LogAnalyticsPrimaryKey
# Optional. If not specified, script will not log to the Log Analytics
"RecurrenceInterval" = $RecurrenceInterval
# Optional. Default: 15
"BeginPeakTime" = $BeginPeakTime
# Optional. Default: "09:00"
"EndPeakTime" = $EndPeakTime
# Optional. Default: "17:00"
"TimeDifference" = $TimeDifference
# Optional. Default: "-7:00"
"SessionThresholdPerCPU" = $SessionThresholdPerCPU
# Optional. Default: 1
"MinimumNumberOfRDSH" = $MinimumNumberOfRDSH
# Optional. Default: 1
"MaintenanceTagName" = $MaintenanceTagName
# Optional.
"LimitSecondsToForceLogOffUser" = $LimitSecondsToForceLogOffUser
# Optional. Default: 1
"LogOffMessageTitle" = $LogOffMessageTitle
# Optional. Default: "Machine is about to shutdown."
"LogOffMessageBody" = $LogOffMessageBody
# Optional. Default: "Your session will be logged off. Please save and
close everything."
"WebhookURI" = $WebhookURI
}

.\CreateOrUpdateAzLogicApp.ps1 @Params

After you run the script, the Azure Logic App should appear in a resource group, as
shown in the following image.

To make changes to the execution schedule, such as changing the recurrence

interval or time zone, go to the Azure Logic App autoscale scheduler and select
Edit to go to the Azure Logic App Designer.
Manage your scaling tool
Now that you've created your scaling tool, you can access its output. This section
describes a few features you might find helpful.

View job status

You can view a summarized status of all runbook jobs or view a more in-depth status of
a specific runbook job in the Azure portal.

On the right of your selected Azure Automation account, under "Job Statistics," you can
view a list of summaries of all runbook jobs. Opening the Jobs page on the left side of
the window shows current job statuses, start times, and completion times.
View logs and scaling tool output
You can view the logs of scale-out and scale-in operations by opening your runbook
and selecting the job.

Navigate to the runbook in your resource group hosting the Azure Automation account
and select Overview. On the overview page, select a job under Recent Jobs to view its
scaling tool output, as shown in the following image.

Check the runbook script version number

You can check which version of the runbook script you're using by opening the runbook
file in your Azure Automation account and selecting View. A script for the runbook will
appear on the right side of the screen. In the script, you'll see the version number in the
format v#.#.# under the SYNOPSIS section. You can find the latest version number
here . If you don't see a version number in your runbook script, that means you're
running an earlier version of the script and you should update it right away. If you need
to update your runbook script, follow the instructions in Create or update an Azure
Automation account.

Reporting issues
When you report an issue, you'll need to provide the following information to help us
troubleshoot:

A complete log from the All Logs tab in the job that caused the issue. To learn how
to get the log, follow the instructions in View logs and scaling tool output. If
there's any sensitive or private information in the log, you can remove it before
submitting the issue to us.

The version of the runbook script you're using. To find out how to get the version
number, see Check the runbook script version number

The version number of each of the following PowerShell modules installed in your
Azure Automation account. To find these modules, open Azure Automation
account, select Modules under the Shared Resources section in the pane on the
left side of the window, and then search for the module's name.
Az.Accounts
Az.Compute
Az.Resources
Az.Automation
OMSIngestionAPI
Az.DesktopVirtualization

Log Analytics
If you decided to use Log Analytics, you can view all the log data in a custom log named
WVDTenantScale_CL under Custom Logs in the Logs view of your Log Analytics
Workspace. We've listed some sample queries you might find helpful.

To see all logs for a host pool, enter the following query:

Kusto

WVDTenantScale_CL
| where hostpoolName_s == "<host_pool_name>"
| project TimeStampUTC = TimeGenerated, TimeStampLocal = TimeStamp_s,
HostPool = hostpoolName_s, LineNumAndMessage = logmessage_s,
AADTenantId = TenantId

To view the total number of currently running session host VMs and active user
sessions in your host pool, enter the following query:

Kusto
 WVDTenantScale_CL
| where logmessage_s contains "Number of running session hosts:"
or logmessage_s contains "Number of user sessions:"
or logmessage_s contains "Number of user sessions per Core:"
| where hostpoolName_s == "<host_pool_name>"
| project TimeStampUTC = TimeGenerated, TimeStampLocal = TimeStamp_s,
HostPool = hostpoolName_s, LineNumAndMessage = logmessage_s,
AADTenantId = TenantId

To view the status of all session host VMs in a host pool, enter the following query:

Kusto

WVDTenantScale_CL
| where logmessage_s contains "Session host:"
| where hostpoolName_s == "<host_pool_name>"
| project TimeStampUTC = TimeGenerated, TimeStampLocal = TimeStamp_s,
HostPool = hostpoolName_s, LineNumAndMessage = logmessage_s,
AADTenantId = TenantId

To view any errors and warnings, enter the following query:

Kusto

WVDTenantScale_CL
| where logmessage_s contains "ERROR:" or logmessage_s contains "WARN:"
| project TimeStampUTC = TimeGenerated, TimeStampLocal = TimeStamp_s,
HostPool = hostpoolName_s, LineNumAndMessage = logmessage_s,
AADTenantId = TenantId

Limitations
Here are some limitations with scaling session host VMs with this scaling script:

The scaling script doesn’t consider time changes between standard and daylight
savings.
Configure Start VM on Connect
Article • 10/07/2024

Start VM on Connect lets you reduce costs by enabling end users to power on the
virtual machines (VMs) used as session hosts only when they're needed. You can then
power off VMs when they're not needed.

For personal host pools, Start VM on Connect only powers on an existing session host
VM that is already assigned or can be assigned to a user. For pooled host pools, Start
VM on Connect only powers on a session host VM when none are turned on and more
VMs are only be turned on when the first VM reaches the session limit.

The time it takes for a user to connect to a remote session on a session host that is
powered off (deallocated) increases because the VM needs time to power on again,
much like turning on a physical computer. When a user uses Windows App and the
Remote Desktop app to connect to Azure Virtual Desktop, they're told a VM is being
powered on while they're connecting.

You can enable Start VM on Connect for session hosts on Azure and Azure Stack HCI in
personal or pooled host pools using the Azure portal, Azure PowerShell, or Azure CLI.
Start VM on Connect is configured per host pool.

Prerequisites
Before you can use Start VM on Connect, you need:

An existing host pool that's associated with an application group and workspace.
You can only configure Start VM on Connect on existing host pools. You can't
enable it at the same time you create a new host pool.

The Azure account you use to configure Start VM on Connect must have the
Desktop Virtualization Host Pool Contributor role-based access control (RBAC) role
assigned.

Windows App or the Remote Desktop app installed on a local device with a user
account assigned to a desktop or application in the application group you can test
with.

Make sure that the name of the host pool, session hosts in that host pool, and the
resource group only have ANSI characters.
 If you want to use Azure PowerShell or Azure CLI locally, see Use Azure PowerShell
and Azure CLI with Azure Virtual Desktop to make sure you have the
Az.DesktopVirtualization PowerShell module or the desktopvirtualization Azure CLI
extension installed. Alternatively, use the Azure Cloud Shell.

Assign the Desktop Virtualization Power On

Contributor role with the Azure portal
To configure Start VM on Connect, you need to assign the Desktop Virtualization Power
On Contributor role-based access control (RBAC) role to the Azure Virtual Desktop
service principal with your Azure subscription as the assignable scope. If you assign this
role at any level lower than a subscription, such as the resource group, host pool, or VM,
prevents Start VM on Connect from working properly.

You need to add each Azure subscription that contains host pools and session host VMs
you want to use with Start VM on Connect as an assignable scope. This role assignment
allows Azure Virtual Desktop to power on VMs, check their status, and report diagnostic
information for those subscriptions.

To learn how to assign the Desktop Virtualization Power On Contributor role to the Azure
Virtual Desktop service principal, see Assign RBAC roles to the Azure Virtual Desktop
service principal.

Enable or disable Start VM on Connect

Once you assign the Desktop Virtualization Power On Contributor role to the service
principal on relevant subscriptions, you can configure Start VM on Connect using the
Azure portal, Azure PowerShell, or Azure CLI.

Azure portal

To configure Start VM on Connect using the Azure portal:

1. Sign in to the Azure portal .

2. In the search bar, enter Azure Virtual Desktop and select the matching service
entry.

3. Select Host pools, then select the name of the host pool where you want to
enable the setting.

4. Select Properties.
 5. In the configuration section, set Start VM on connect to Yes to enable it, or
No to disable it.

6. Select Save to apply the settings.

７ Note

For pooled host pools, Start VM on Connect will start a VM every five minutes at
most. If other users try to sign in during this five-minute period and there still aren't
any available resources, Start VM on Connect won't start a new VM. Instead, the
users trying to sign in will receive an error message that says, No resources
available. They should wait a few minutes and try to connect again.

Troubleshooting
If the session host VM doesn't power on, you need to check the health of the VM you
tried to power on as a first step. You can also view Azure Virtual Desktop logs in Log
Analytics to check for problems. If you receive an error message, make sure to pay close
attention to the message content and make a note of the error name for reference. You
can also use Azure Virtual Desktop Insights to get suggestions for how to resolve issues.

７ Note

Connecting to a session host outside of the Azure Virtual Desktop service that is
powered off, such as by directly connecting to a VM by IP address or name, the VM
isn't started.

Related content
For more information about Start VM on Connect, see our Start VM on Connect FAQ.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Start VM on Connect FAQ
Article • 11/15/2023

This article covers frequently asked questions about the Start Virtual Machine (VM) on
Connect feature for Azure Virtual Desktop host pools.

Are VMs automatically deallocated when a user

stops using them?
No. You'll need to configure additional policies to sign users out of their sessions and
run Azure automation scripts to deallocate VMs.

To configure the deallocation policy:

1. Connect remotely to the VM that you want to set the policy for.

2. Open the Group Policy Editor, then go to Local Computer Policy > Computer
Configuration > Administrative Templates > Windows Components > Remote
Desktop Services > Remote Desktop Session Host > Session Time Limits.

3. Find the policy that says Set time limit for disconnected sessions, then change its
value to Enabled.

4. After you've enabled the policy, select End a disconnected session.

７ Note

Make sure to set the time limit for the "End a disconnected session" policy to a
value greater than five minutes. A low time limit can cause users' sessions to end if
their network loses connection for too long, resulting in lost work.

Signing users out won't deallocate their VMs. To learn how to deallocate VMs, see
Autoscale for pooled and personal host pools.

Can users turn off the VM from their clients?

Yes. Users can shut down the VM by using the Start menu within their session, just like
they would with a physical machine. However, shutting down the VM won't deallocate
the VM. To learn how to deallocate VMs, see Autoscale for pooled and personal host
pools.
How does load balancing affect Start VM on
Connect?
For pooled host pools, Start VM on Connect will wait until all virtual machines hit their
maximum session limit before turning on additional VMs.

For example, let's say your host pool has three VMs and has a maximum session limit of
five users per machine. If you turn on two VMs, Start VM on Connect won't turn on the
third machine until both VMs reach their maximum session limit of five users.

Next steps
To learn how to configure Start VM on Connect, see Start virtual machine on connect.

If you have more general questions about Azure Virtual Desktop, check out our general
FAQ.
Add the administrative template for
Azure Virtual Desktop to Group Policy
Article • 09/19/2024

We've created an administrative template for Azure Virtual Desktop to configure some
features of Azure Virtual Desktop. The template is available for:

Microsoft Intune, which enables you to centrally configure session hosts that are
enrolled in Intune and joined to Microsoft Entra ID or Microsoft Entra hybrid
joined. The administrative template is available in the Intune settings catalog
without any further configuration.

Group Policy with Active Directory (AD), which enables you to centrally configure
session hosts that are joined to an AD domain.

Group Policy locally on each session host, but we don't recommend this to manage
session hosts at scale.

You can configure the following features with the administrative template:

Graphics related data logging

RDP Shortpath for managed networks
Screen capture protection
Watermarking
High Efficiency Video Coding (H.265) hardware acceleration

Prerequisites
Before you can configure the template settings, you need to meet the following
prerequisites. Select a tab for your scenario.

Group Policy (AD)

For Group Policy in an Active Directory (AD) domain, you need the following
permission:

A member of the Domain Admins security group.

Add the administrative template to Group
Policy
To add the administrative template to Group Policy, select a tab for your scenario and
follow these steps.

Group Policy (AD)

1. Download the latest Azure Virtual Desktop administrative template files and
extract the contents of the .cab file and .zip archive.

2. On your domain controllers, copy and paste the following files to the relevant
location, depending if you store Group Policy templates in the local
PolicyDefinitions folder or the Group Policy Central Store. Replace
contoso.com with your domain name, and en-US if you're using a different

language.

Filename: terminalserver-avd.admx
Local location: C:\Windows\PolicyDefinitions\
Central Store:
\\contoso.com\SYSVOL\contoso.com\Policies\PolicyDefinitions

Filename: en-US\terminalserver-avd.adml
Local location: C:\Windows\PolicyDefinitions\en-US\
Central Store:
\\contoso.com\SYSVOL\contoso.com\Policies\PolicyDefinitions\en-US

3. On a device you use to manage Group Policy, open the Group Policy
Management Console (GPMC) and create or edit a policy that targets your
session hosts.

4. To verify that the Azure Virtual Desktop administrative template is available,

browse to Computer Configuration > Policies > Administrative Templates >
Windows Components > Remote Desktop Services > Remote Desktop
Session Host > Azure Virtual Desktop. You should see policy settings for
Azure Virtual Desktop available for you to configure, as shown in the following
screenshot:
 

5. Refer to the feature you want to configure for detailed instructions on how to
configure the settings:

Graphics related data logging

RDP Shortpath for managed networks
Screen capture protection
Watermarking

Related content
Learn how to use the administrative template with the following features:

Graphics related data logging

Screen capture protection
RDP Shortpath for managed networks
Watermarking
High Efficiency Video Coding (H.265) hardware acceleration

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Apply Zero Trust principles to an Azure
Virtual Desktop deployment
Article • 04/12/2024

This article provides steps to apply the principles of Zero Trust to an Azure Virtual
Desktop deployment in the following ways:

ﾉ Expand table

Zero Trust Definition Met by

principle

Verify Always authenticate and Verify the identities and endpoints of Azure
explicitly authorize based on all available Virtual Desktop users and secure access to
data points. session hosts.

Use least Limit user access with Just-In-
privileged Time and Just-Enough-Access
access (JIT/JEA), risk-based adaptive
policies, and data protection.
Confine access to session hosts and their
data.
Storage: Protect data in all three modes:
data at rest, data in transit, data in use.
Virtual networks (VNets): Specify allowed
network traffic flows between hub and
spoke VNets with Azure Firewall.
Virtual machines: Use Role Based Access
Control (RBAC).

Assume Minimize blast radius and Isolate the components of an Azure

breach segment access. Verify end-to-
end encryption and use analytics
to get visibility, drive threat
detection, and improve defenses.
Virtual Desktop deployment.
Storage: Use Defender for Storage for
automated threat detection and
protection.
VNets: Prevent traffic flows between
workloads with Azure Firewall.
Virtual machines: Use double encryption
for end-to-end encryption, enable
encryption at host, secure maintenance
for virtual machines, and Microsoft
Defender for Servers for threat
detection.
Azure Virtual Desktop: Use Azure Virtual
Desktop security, governance,
management, and monitoring features
to improve defenses and collect session
host analytics.
For more information about how to apply the principles of Zero Trust across an Azure
IaaS environment, see the Apply Zero Trust principles to Azure IaaS overview.

Reference architecture
In this article, we use the following reference architecture for Hub and Spoke to
demonstrate a commonly deployed environment and how to apply the principles of
Zero Trust for Azure Virtual Desktop with users’ access over the Internet. Azure Virtual
WAN architecture is also supported in addition to private access over a managed
network with RDP Shortpath for Azure Virtual Desktop.

Internet Azure

Azure Virtual Desktop Control Plane Azure Virtual Desktop Management Plane

User Workspace
Private Endpoint
Microsoft MDC RBAC Azure · Web access
Entra ID Monitor
· Gateway Personal
Applica on
Pooled Pool AVD Scaling
Pool Applica on Plan
F · Broker Group Group Start VM on
Start VM on Connect
· Diagnostics
Connect
Endpoints
Schedules

Host Pool Host Pool

AVD RDP AVD RDP
Connectivity (HUB) VNET D Property Private Endpoint Private Endpoint
Property E

B
Bastion Subnet
Azure Firewall
Subnet Azure Virtual Desktop (SPOKE) VNET Azure Virtual Desktop (SPOKE) VNET
Bastion
Session host virtual machines (Personal) C Session host virtual machines (Pooled) C Key Vault
Keys
Azure Firewall
Premium
AVD Shared Services
DNS
VPN GW Subnet Zone
Custom Custom NSG NSG
DNS DNS Key Vault
Azure
Server 1 Server 2 Secrets
Compute
VPN GW Gallery
DDoS
Protec on VM Image
Definition

File Share File Share

Office location
Image Template
G Private Endpoint Private Endpoint
Azure Storage Azure Storage
(file) (file)
A A
Azure Storage Services Azure Storage Services
Admin

On-premises datacenter


Router Admin AD DS
Microsoft
Entra Connect

The Azure environment for Azure Virtual Desktop includes:

ﾉ Expand table

Component Description

A Azure Storage Services for Azure Virtual Desktop user profiles.

B A connectivity hub VNet.

C A spoke VNet with Azure Virtual Desktop session host virtual machine-based
workloads.

D An Azure Virtual Desktop Control Plane.

E An Azure Virtual Desktop Management Plane.

F Dependent PaaS services including Microsoft Entra ID, Microsoft Defender for
Cloud, role-based access control (RBAC), and Azure Monitor.
 Component Description

G Azure Compute Gallery.

Users or admins that access the Azure environment can originate from the internet,
office locations, or on-premises datacenters.

The reference architecture aligns to the architecture described in the Enterprise-scale

landing zone for Azure Virtual Desktop Cloud Adoption Framework.

Logical architecture
In this diagram, the Azure infrastructure for an Azure Virtual Desktop deployment is
contained within a Microsoft Entra ID tenant.

Microsoft Entra ID tenant

RBAC and Azure policies

Management group

Azure Virtual Desktop subscription Azure connectivity subscription

Azure Virtual Desktop Insights and Log Analytics Workspace

Resource group: Resource group: Resource group: Resource group: Resource group: Resource group:
Azure Virtual Desktop Storage account Session host Spoke Virtual Network Azure Compute Hub Virtual Network
Azure Files service virtual machines (Azure Virtual Gallery
Desktop)
Key Vault - PE VPN GW

Key Vault Disk

NSG -PE Bastion
Encryption Set

AVD - PE Azure Files - PE ASG - avd NSG -AVD Azure Firewall

Image

AVD Virtual
Service objects Data Sets VNet RBAC VNet
machines

The elements of the logical architecture are:

Azure subscription for your Azure Virtual Desktop

You can distribute the resources in more than one subscription, where each
subscription may hold different roles, such as network subscription, or security
subscription. This is described in Cloud Adoption Framework and Azure Landing
Zone. The different subscriptions may also hold different environments, such as
production, development, and tests environments. It depends on how you want to
separate your environment and the number of resources you have in each. One or
more subscriptions can be managed together using a Management Group. This
gives you the ability to apply permissions with RBAC and Azure policies to a group
of subscriptions instead of setting up each subscription individually.

Azure Virtual Desktop resource group

 An Azure Virtual Desktop resource group isolates Key Vaults, Azure Virtual Desktop
service objects and private endpoints.

Storage resource group

A storage resource group isolates Azure Files service private endpoints and data
sets.

Session host virtual machines resource group

A dedicated resource group isolates the virtual machines for their session hosts
Virtual Machines, Disk Encryption Set and an Application Security Group.

Spoke VNet resource group

A dedicated resource group isolates the spoke VNet resources and a Network
Security Group, which networking specialists in your organization can manage.

What’s in this article?

This article walks through the steps to apply the principles of Zero Trust across the Azure
Virtual Desktop reference architecture.

ﾉ Expand table

Step Task Zero Trust principle(s)

applied

1 Secure your identities with Zero Trust. Verify explicitly

2 Secure your endpoints with Zero Trust. Verify explicitly

3 Apply Zero Trust principles to Azure Virtual Desktop storage Verify explicitly
resources. Use least privileged access
Assume breach

4 Apply Zero Trust principles to hub and spoke Azure Virtual Verify explicitly
Desktop VNets. Use least privileged access
Assume breach

5 Apply Zero Trust principles to Azure Virtual Desktop session Verify explicitly
host. Use least privileged access
Assume breach

6 Deploy security, governance, and compliance to Azure Assume breach

Virtual Desktop.
 Step Task Zero Trust principle(s)
applied

7 Deploy secure management and monitoring to Azure Virtual Assume breach

Desktop.

Step 1: Secure your identities with Zero Trust

To apply Zero Trust principles to the identities used in Azure Virtual Desktop:

Azure Virtual Desktop supports different types of identities. Use the information in
Securing identity with Zero Trust to ensure that your chosen identity types adhere
to Zero Trust principles.
Create a dedicated user account with least privileges to join session hosts to a
Microsoft Entra Domain Services or AD DS domain during session host
deployment.

Step 2: Secure your endpoints with Zero Trust

Endpoints are the devices through which users access the Azure Virtual Desktop
environment and session host virtual machines. Use the instructions in the Endpoint
integration overview and use Microsoft Defender for Endpoint and Microsoft Endpoint
Manager to ensure that your endpoints adhere to your security and compliance
requirements.

Step 3: Apply Zero Trust principles to Azure

Virtual Desktop storage resources
Implement the steps in Apply Zero Trust principles to Storage in Azure for the storage
resources being used in your Azure Virtual Desktop deployment. These steps ensure
that you:

Secure your Azure Virtual Desktop data at rest, in transit, and in use.
Verify users and control access to storage data with the least privileges.
Implement private endpoints for storage accounts.
Logically separate critical data with network controls. Such as separate storage
accounts for different host pools and other purposes such as with MSIX app attach
file shares.
Use Defender for Storage for automated threat protection.
 ７ Note

In some designs, Azure NetApp files is the storage service of choice for FSLogix
profiles for Azure Virtual Desktop via an SMB share. Azure NetApp Files provides
built-in security features that include delegated subnets and security benchmarks.

Step 4: Apply Zero Trust principles to hub and

spoke Azure Virtual Desktop VNets
A hub VNet is a central point of connectivity for multiple spoke virtual networks.
Implement the steps in Apply Zero Trust principles to a hub virtual network in Azure for
the hub VNet being used to filter outbound traffic from your session hosts.

A spoke VNet isolates the Azure Virtual Desktop workload and contains the session host
virtual machines. Implement the steps in Apply Zero Trust principles to spoke virtual
network in Azure for the spoke VNet that contains the session host/virtual machines.

Isolate different host pools on separate VNets using NSG with the required URL
necessary for Azure Virtual Desktop for each subnet. When deploying the private
endpoints place them in the appropriate subnet in the VNet based on their role.

Azure Firewall or a network virtual appliance (NVA) firewall can be used to control and
restrict outbound traffic Azure Virtual Desktop session hosts. Use the instructions here
for Azure Firewall to protect session hosts. Force the traffic through the firewall with
User-Defined Routes (UDRs) linked to the host pool subnet. Review the full list of
required Azure Virtual Desktop URLs to configure your firewall. Azure Firewall provides
an Azure Virtual Desktop FQDN Tag to simplify this configuration.

Step 5: Apply Zero Trust principles to Azure

Virtual Desktop session hosts
Session hosts are virtual machines that run inside a spoke VNet. Implement the steps in
Apply Zero Trust principles to virtual machines in Azure for the virtual machines being
created for your session hosts.

Host pools should have separated organizational units (OUs) if managed by group
policies on Active Directory Domain Services (AD DS).

Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to

help enterprise networks prevent, detect, investigate, and respond to advanced threats.
You can use Microsoft Defender for Endpoint for session hosts. for more information,
see virtual desktop infrastructure (VDI) devices.

Step 6: Deploy security, governance, and

compliance to Azure Virtual Desktop
Azure Virtual Desktop service allow you to use Azure Private Link to privately connect to
your resources by creating private endpoints.

Azure Virtual Desktop has built-in advanced security features to protect session hosts.
However, see the following articles to improve the security defenses of your Azure
Virtual Desktop environment and session hosts:

Azure Virtual Desktop security best practices

Azure security baseline for Azure Virtual Desktop

In addition, see the key design considerations and recommendations for security,
governance, and compliance in Azure Virtual Desktop landing zones in accordance with
Microsoft's Cloud Adoption Framework.

Step 7: Deploy secure management and

monitoring to Azure Virtual Desktop
Management and continuous monitoring are important to ensure that your Azure
Virtual Desktop environment is not engaging in malicious behavior. Use Azure Virtual
Desktop Insights to log data and report diagnostic and usage data.

See these additional articles:

Review recommendations from Azure Advisor for Azure Virtual Desktop.

Use Microsoft Intune for granular policy management.
Review and set RDP Properties for granular settings on a host pool level.

Recommended training

Secure an Azure Virtual Desktop deployment

ﾉ Expand table
Training Secure an Azure Virtual Desktop deployment

Learn about the Microsoft security capabilities that help keep your applications
and data secure in your Microsoft Azure Virtual Desktop deployment.

Start >

Protect your Azure Virtual Desktop deployment by using

Azure

ﾉ Expand table

Training Protect your Azure Virtual Desktop deployment by using Azure

Deploy Azure Firewall, route all network traffic through Azure Firewall, and
configure rules. Route the outbound network traffic from the Azure Virtual Desktop
host pool to the service through Azure Firewall.

Start >

Manage access and security for Azure Virtual Desktop

ﾉ Expand table

Training Manage access and security for Azure Virtual Desktop

Learn how to plan and implement Azure roles for Azure Virtual Desktop and
implement Conditional Access policies for remote connections. This learning
path aligns with exam AZ-140: Configuring and Operating Microsoft Azure
Virtual Desktop.

Start >

Design for user identities and profiles

ﾉ Expand table
 Training Design for user identities and profiles

Your users require access to those applications both on-premises and in the cloud.
You use the Remote Desktop client for Windows Desktop to access Windows apps
and desktops remotely from a different Windows device.

Start >

For more training on security in Azure, see these resources in the Microsoft catalog:
Security in Azure

Next Steps
See these additional articles for applying Zero Trust principles to Azure:

Azure IaaS overview

Azure storage
Virtual machines
Spoke virtual networks
Spoke virtual networks with Azure PaaS services
Hub virtual networks
Azure Virtual WAN
IaaS applications in Amazon Web Services
Microsoft Sentinel and Microsoft Defender XDR

Technical illustrations
You can download the illustrations used in this article. Use the Visio file to modify these
illustrations for your own use.

PDF | Visio

For additional technical illustrations, click here.

References
Refer to the links below to learn about the various services and technologies mentioned
in this article.

What is Azure - Microsoft Cloud Services

Azure Infrastructure as a Service (IaaS)
 Virtual Machines (VMs) for Linux and Windows
Introduction to Azure Storage - Cloud storage on Azure
Azure Virtual Network
Introduction to Azure security
Zero Trust implementation guidance
Overview of the Microsoft cloud security benchmark
Security baselines for Azure overview
Building the first layer of defense with Azure security services - Azure Architecture
Center
Microsoft Cybersecurity Reference Architectures - Security documentation

Feedback
Was this page helpful?  Yes  No
Azure security baseline for Azure Virtual
Desktop
Article • 09/20/2023

This security baseline applies guidance from the Microsoft cloud security benchmark
version 1.0 to Azure Virtual Desktop. The Microsoft cloud security benchmark provides
recommendations on how you can secure your cloud solutions on Azure. The content is
grouped by the security controls defined by the Microsoft cloud security benchmark and
the related guidance applicable to Azure Virtual Desktop.

You can monitor this security baseline and its recommendations using Microsoft
Defender for Cloud. Azure Policy definitions will be listed in the Regulatory Compliance
section of the Microsoft Defender for Cloud portal page.

When a feature has relevant Azure Policy Definitions, they are listed in this baseline to
help you measure compliance with the Microsoft cloud security benchmark controls and
recommendations. Some recommendations may require a paid Microsoft Defender plan
to enable certain security scenarios.

７ Note

Features not applicable to Azure Virtual Desktop have been excluded. To see how
Azure Virtual Desktop completely maps to the Microsoft cloud security benchmark,
see the full Azure Virtual Desktop security baseline mapping file .

Security profile
The security profile summarizes high-impact behaviors of Azure Virtual Desktop, which
may result in increased security considerations.

ﾉ Expand table

Service Behavior Attribute Value

Product Category Virtual Desktop

Customer can access HOST / OS Full Access

Service can be deployed into customer's virtual network False

Stores customer content at rest False

Network security
For more information, see the Microsoft cloud security benchmark: Network security.

NS-1: Establish network segmentation boundaries

Features

Virtual Network Integration

Description: Service supports deployment into customer's private Virtual Network

(VNet). Learn more.

ﾉ Expand table

Supported Enabled By Default Configuration Responsibility

True False Customer

Feature notes: Virtual machines within the host pool must be placed in a virtual
network.

Configuration Guidance: Deploy the service into a virtual network. Assign private IPs to
the resource (where applicable) unless there is a strong reason to assign public IPs
directly to the resource.

Reference: Tutorial: Create a host pool

Network Security Group Support

Description: Service network traffic respects Network Security Groups rule assignment
on its subnets. Learn more.

ﾉ Expand table

Supported Enabled By Default Configuration Responsibility

True False Customer

Feature notes: Virtual machines used within the host pool support use of network
security groups.
Configuration Guidance: Use network security groups (NSG) to restrict or monitor traffic
by port, protocol, source IP address, or destination IP address. Create NSG rules to
restrict your service's open ports (such as preventing management ports from being
accessed from untrusted networks). Be aware that by default, NSGs deny all inbound
traffic but allow traffic from virtual network and Azure Load Balancers.

Reference: Tutorial: Create a host pool

NS-2: Secure cloud services with network controls

Features

Azure Private Link

Description: Service native IP filtering capability for filtering network traffic (not to be
confused with NSG or Azure Firewall). Learn more.

ﾉ Expand table

Supported Enabled By Default Configuration Responsibility

True False Customer

Feature notes: Private link with Azure Virtual Desktop is currently in preview.

Configuration Guidance: Deploy private endpoints for all Azure resources that support
the Private Link feature, to establish a private access point for the resources.

Reference: Use Azure Private Link with Azure Virtual Desktop (preview)

Disable Public Network Access

Description: Service supports disabling public network access either through using
service-level IP ACL filtering rule (not NSG or Azure Firewall) or using a 'Disable Public
Network Access' toggle switch. Learn more.

ﾉ Expand table

Supported Enabled By Default Configuration Responsibility

False Not Applicable Not Applicable

Configuration Guidance: This feature is not supported to secure this service.

Identity management
For more information, see the Microsoft cloud security benchmark: Identity management.

IM-1: Use centralized identity and authentication system

Features

Azure AD Authentication Required for Data Plane Access

Description: Service supports using Azure AD authentication for data plane access.
Learn more.

ﾉ Expand table

Supported Enabled By Default Configuration Responsibility

True False Customer

Configuration Guidance: Use Azure Active Directory (Azure AD) as the default
authentication method to control your data plane access.

Reference: Azure AD join for Azure Virtual Desktop

IM-3: Manage application identities securely and

automatically

Features

Managed Identities

Description: Data plane actions support authentication using managed identities. Learn
more.

ﾉ Expand table

Supported Enabled By Default Configuration Responsibility

True False Customer

Configuration Guidance: Use Azure managed identities instead of service principals
when possible, which can authenticate to Azure services and resources that support
Azure Active Directory (Azure AD) authentication. Managed identity credentials are fully
managed, rotated, and protected by the platform, avoiding hard-coded credentials in
source code or configuration files.

Reference: Set up managed identities

Service Principals

Description: Data plane supports authentication using service principals. Learn more.

ﾉ Expand table

Supported Enabled By Default Configuration Responsibility

True False Customer

Configuration Guidance: There is no current Microsoft guidance for this feature

configuration. Please review and determine if your organization wants to configure this
security feature.

Reference: Tutorial: Create service principals and role assignments with PowerShell in
Azure Virtual Desktop (classic)

IM-7: Restrict resource access based on conditions

Features

Conditional Access for Data Plane

Description: Data plane access can be controlled using Azure AD Conditional Access
Policies. Learn more.

ﾉ Expand table

Supported Enabled By Default Configuration Responsibility

True False Customer

Configuration Guidance: Define the applicable conditions and criteria for Azure Active
Directory (Azure AD) conditional access in the workload. Consider common use cases
such as blocking or granting access from specific locations, blocking risky sign-in
behavior, or requiring organization-managed devices for specific applications.

Reference: Enable Conditional Access

IM-8: Restrict the exposure of credential and secrets

Features

Service Credential and Secrets Support Integration and Storage in

Azure Key Vault

Description: Data plane supports native use of Azure Key Vault for credential and secrets
store. Learn more.

ﾉ Expand table

Supported Enabled By Default Configuration Responsibility

False Not Applicable Not Applicable

Configuration Guidance: This feature is not supported to secure this service.

Privileged access
For more information, see the Microsoft cloud security benchmark: Privileged access.

PA-1: Separate and limit highly privileged/administrative

users

Features

Local Admin Accounts

Description: Service has the concept of a local administrative account. Learn more.

ﾉ Expand table
 Supported Enabled By Default Configuration Responsibility

True False Customer

Feature notes: A local virtual machine administrator account is created for virtual
machines that are added to the host pool. Avoid the usage of local authentication
methods or accounts, these should be disabled wherever possible. Instead use Azure AD
to authenticate where possible.

Configuration Guidance: If not required for routine administrative operations, disable or

restrict any local admin accounts for only emergency use.

PA-7: Follow just enough administration (least privilege)

principle

Features

Azure RBAC for Data Plane

Description: Azure Role-Based Access Control (Azure RBAC) can be used to managed
access to service's data plane actions. Learn more.

ﾉ Expand table

Supported Enabled By Default Configuration Responsibility

True False Customer

Configuration Guidance: Use Azure role-based access control (Azure RBAC) to manage
Azure resource access through built-in role assignments. Azure RBAC roles can be
assigned to users, groups, service principals, and managed identities.

Reference: Built-in Azure RBAC roles for Azure Virtual Desktop

PA-8: Determine access process for cloud provider

support

Features

Customer Lockbox
Description: Customer Lockbox can be used for Microsoft support access. Learn more.

ﾉ Expand table

Supported Enabled By Default Configuration Responsibility

False Not Applicable Not Applicable

Configuration Guidance: This feature is not supported to secure this service.

Data protection
For more information, see the Microsoft cloud security benchmark: Data protection.

DP-1: Discover, classify, and label sensitive data

Features

Sensitive Data Discovery and Classification

Description: Tools (such as Azure Purview or Azure Information Protection) can be used
for data discovery and classification in the service. Learn more.

ﾉ Expand table

Supported Enabled By Default Configuration Responsibility

True False Customer

Feature notes: Use Azure Information Protection (and its associated scanning tool) for
sensitive information within Office documents on Azure, on-premises, Office 365 and
other locations.

Configuration Guidance: Use tools such as Azure Purview, Azure Information Protection,
and Azure SQL Data Discovery and Classification to centrally scan, classify and label any
sensitive data that resides in Azure, on-premises, Microsoft 365, or other locations.

DP-2: Monitor anomalies and threats targeting sensitive

data

Features
Data Leakage/Loss Prevention

Description: Service supports DLP solution to monitor sensitive data movement (in
customer's content). Learn more.

ﾉ Expand table

Supported Enabled By Default Configuration Responsibility

True False Microsoft

Feature notes: Use data loss prevention solutions, such as host-based ones, to enforce
detective and/or preventative controls to prevent data exfiltration.

Solutions such as DLP for Microsoft Azure may also be used for your Virtual Desktop
Environment. For more information, please visit: Data Loss Prevention (DLP) for
Microsoft Azure Azure Information protection (AIP) provides monitoring capabilities
for information that has been classified and labeled.

Configuration Guidance: If required for compliance of data loss prevention (DLP), you
can use a host based DLP solution from Azure Marketplace or a Microsoft 365 DLP
solution to enforce detective and/or preventative controls to prevent data exfiltration.

DP-3: Encrypt sensitive data in transit

Features

Data in Transit Encryption

Description: Service supports data in-transit encryption for data plane. Learn more.

ﾉ Expand table

Supported Enabled By Default Configuration Responsibility

True True Microsoft

Configuration Guidance: No additional configurations are required as this is enabled on

a default deployment.

Reference: Networking

DP-4: Enable data at rest encryption by default

Features

Data at Rest Encryption Using Platform Keys

Description: Data at-rest encryption using platform keys is supported, any customer
content at rest is encrypted with these Microsoft managed keys. Learn more.

ﾉ Expand table

Supported Enabled By Default Configuration Responsibility

True True Microsoft

Configuration Guidance: No additional configurations are required as this is enabled on

a default deployment.

Reference: Data protection

DP-5: Use customer-managed key option in data at rest

encryption when required

Features

Data at Rest Encryption Using CMK

Description: Data at-rest encryption using customer-managed keys is supported for

customer content stored by the service. Learn more.

ﾉ Expand table

Supported Enabled By Default Configuration Responsibility

False Not Applicable Not Applicable

Configuration Guidance: This feature is not supported to secure this service.

DP-6: Use a secure key management process

Features
Key Management in Azure Key Vault

Description: The service supports Azure Key Vault integration for any customer keys,
secrets, or certificates. Learn more.

ﾉ Expand table

Supported Enabled By Default Configuration Responsibility

False Not Applicable Not Applicable

Configuration Guidance: This feature is not supported to secure this service.

DP-7: Use a secure certificate management process

Features

Certificate Management in Azure Key Vault

Description: The service supports Azure Key Vault integration for any customer
certificates. Learn more.

ﾉ Expand table

Supported Enabled By Default Configuration Responsibility

False Not Applicable Not Applicable

Configuration Guidance: This feature is not supported to secure this service.

Asset management
For more information, see the Microsoft cloud security benchmark: Asset management.

AM-2: Use only approved services

Features

Azure Policy Support

Description: Service configurations can be monitored and enforced via Azure Policy.
Learn more.

ﾉ Expand table

Supported Enabled By Default Configuration Responsibility

True False Customer

Configuration Guidance: Use Microsoft Defender for Cloud to configure Azure Policy to
audit and enforce configurations of your Azure resources. Use Azure Monitor to create
alerts when there is a configuration deviation detected on the resources. Use Azure
Policy [deny] and [deploy if not exists] effects to enforce secure configuration across
Azure resources.

Reference: Azure security baseline for Azure Virtual Desktop

AM-5: Use only approved applications in virtual machine

Features

Microsoft Defender for Cloud - Adaptive Application Controls

Description: Service can limit what customer applications run on the virtual machine
using Adaptive Application Controls in Microsoft Defender for Cloud. Learn more.

ﾉ Expand table

Supported Enabled By Default Configuration Responsibility

False Not Applicable Not Applicable

Feature notes: Though Adaptive Application Control through Microsoft Defender for
Cloud is not supported, when choosing a deployment model, you can either provide
remote users access to entire virtual desktops or only select applications. Remote
applications, or RemoteApps, provide a seamless experience as the user works with apps
on their virtual desktop. RemoteApps reduce risk by only letting the user work with a
subset of the remote machine exposed by the application.

For more information, please visit: Use Remote Apps

Configuration Guidance: This feature is not supported to secure this service.

Logging and threat detection
For more information, see the Microsoft cloud security benchmark: Logging and threat
detection.

LT-1: Enable threat detection capabilities

Features

Microsoft Defender for Service / Product Offering

Description: Service has an offering-specific Microsoft Defender solution to monitor and

alert on security issues. Learn more.

ﾉ Expand table

Supported Enabled By Default Configuration Responsibility

True False Customer

Configuration Guidance: Use Azure Active Directory (Azure AD) as the default
authentication method to control your management plane access. When you get an
alert from Microsoft Defender for Key Vault, investigate and respond to the alert.

Reference: Onboard Windows devices in Azure Virtual Desktop

LT-4: Enable logging for security investigation

Features

Azure Resource Logs

Description: Service produces resource logs that can provide enhanced service-specific
metrics and logging. The customer can configure these resource logs and send them to
their own data sink like a storage account or log analytics workspace. Learn more.

ﾉ Expand table

Supported Enabled By Default Configuration Responsibility

True False Customer

Configuration Guidance: Enable resource logs for the service. For example, Key Vault
supports additional resource logs for actions that get a secret from a key vault or and
Azure SQL has resource logs that track requests to a database. The content of resource
logs varies by the Azure service and resource type.

Reference: Push diagnostics data to your workspace

Posture and vulnerability management

For more information, see the Microsoft cloud security benchmark: Posture and
vulnerability management.

PV-3: Define and establish secure configurations for

compute resources

Features

Azure Automation State Configuration

Description: Azure Automation State Configuration can be used to maintain the security
configuration of the operating system. Learn more.

ﾉ Expand table

Supported Enabled By Default Configuration Responsibility

False Not Applicable Not Applicable

Configuration Guidance: This feature is not supported to secure this service.

Azure Policy Guest Configuration Agent

Description: Azure Policy guest configuration agent can be installed or deployed as an

extension to compute resources. Learn more.

ﾉ Expand table

Supported Enabled By Default Configuration Responsibility

False Not Applicable Not Applicable

Configuration Guidance: This feature is not supported to secure this service.

Custom VM Images

Description: Service supports using user-supplied VM images or pre-built images from

the marketplace with certain baseline configurations pre-applied. Learn more.

ﾉ Expand table

Supported Enabled By Default Configuration Responsibility

True False Customer

Configuration Guidance: Use a pre-configured hardened image from a trusted supplier

such as Microsoft or build a desired secure configuration baseline into the VM image
template

Reference: Operating systems and licenses

Custom Containers Images

Description: Service supports using user-supplied container images or pre-built images

from the marketplace with certain baseline configurations pre-applied. Learn more.

ﾉ Expand table

Supported Enabled By Default Configuration Responsibility

False Not Applicable Not Applicable

Configuration Guidance: This feature is not supported to secure this service.

PV-5: Perform vulnerability assessments

Features

Vulnerability Assessment using Microsoft Defender

Description: Service can be scanned for vulnerability scan using Microsoft Defender for
Cloud or other Microsoft Defender services embedded vulnerability assessment
capability (including Microsoft Defender for server, container registry, App Service, SQL,
and DNS). Learn more.
 ﾉ Expand table

Supported Enabled By Default Configuration Responsibility

True False Customer

Configuration Guidance: Follow recommendations from Microsoft Defender for Cloud

for performing vulnerability assessments on your Azure virtual machines, container
images, and SQL servers.

Reference: Enable Microsoft Defender for Cloud

PV-6: Rapidly and automatically remediate vulnerabilities

Features

Azure Automation Update Management

Description: Service can use Azure Automation Update Management to deploy patches
and updates automatically. Learn more.

ﾉ Expand table

Supported Enabled By Default Configuration Responsibility

False Not Applicable Not Applicable

Configuration Guidance: This feature is not supported to secure this service.

Endpoint security
For more information, see the Microsoft cloud security benchmark: Endpoint security.

ES-1: Use Endpoint Detection and Response (EDR)

Features

EDR Solution

Description: Endpoint Detection and Response (EDR) feature such as Azure Defender for
servers can be deployed into the endpoint. Learn more.
 ﾉ Expand table

Supported Enabled By Default Configuration Responsibility

True False Customer

Configuration Guidance: Azure Defender for servers (with Microsoft Defender for
Endpoint integrated) provides EDR capability to prevent, detect, investigate, and
respond to advanced threats. Use Microsoft Defender for Cloud to deploy Azure
Defender for servers for your endpoint and integrate the alerts to your SIEM solution
such as Azure Sentinel.

Reference: Enable endpoint protection

ES-2: Use modern anti-malware software

Features

Anti-Malware Solution

Description: Anti-malware feature such as Microsoft Defender Antivirus, Microsoft

Defender for Endpoint can be deployed on the endpoint. Learn more.

ﾉ Expand table

Supported Enabled By Default Configuration Responsibility

True False Customer

Configuration Guidance: For Windows Server 2016 and above, Microsoft Defender for
Antivirus is installed by default. For Windows Server 2012 R2 and above, customers can
install SCEP (System Center Endpoint Protection). For Linux, customers can have the
choice of installing Microsoft Defender for Linux. Alternatively, customers also have the
choice of installing third-party anti-malware products.

Reference: Enable Microsoft Defender for Cloud

ES-3: Ensure anti-malware software and signatures are

updated

Features
Anti-Malware Solution Health Monitoring

Description: Anti-malware solution provides health status monitoring for platform,

engine, and automatic signature updates. Learn more.

ﾉ Expand table

Supported Enabled By Default Configuration Responsibility

True False Customer

Configuration Guidance: Configure your anti-malware solution to ensure the platform,

engine and signatures are updated rapidly and consistently and their status can be
monitored.

Reference: Enable Microsoft Defender for Cloud

Backup and recovery

For more information, see the Microsoft cloud security benchmark: Backup and recovery.

BR-1: Ensure regular automated backups

Features

Azure Backup

Description: The service can be backed up by the Azure Backup service. Learn more.

ﾉ Expand table

Supported Enabled By Default Configuration Responsibility

True False Customer

Configuration Guidance: Enable Azure Backup and configure the backup source (such
as Azure Virtual Machines, SQL Server, HANA databases, or File Shares) on a desired
frequency and with a desired retention period. For Azure Virtual Machines, you can use
Azure Policy to enable automatic backups.

Reference: How does Azure Virtual Desktop handle backups?

Service Native Backup Capability

Description: Service supports its own native backup capability (if not using Azure
Backup). Learn more.

ﾉ Expand table

Supported Enabled By Default Configuration Responsibility

False Not Applicable Not Applicable

Feature notes: Azure Virtual Desktop leverages Azure Backup.

Configuration Guidance: This feature is not supported to secure this service.

Next steps
See the Microsoft cloud security benchmark overview
Learn more about Azure security baselines
Enable screen capture protection in
Azure Virtual Desktop
Article • 06/28/2024

Screen capture protection, alongside watermarking, helps prevent sensitive information

from being captured on client endpoints through a specific set of operating system (OS)
features and Application Programming Interfaces (APIs). When you enable screen
capture protection, remote content is automatically blocked in screenshots and screen
sharing. You can configure screen capture protection using Microsoft Intune or Group
Policy on your session hosts.

There are two supported scenarios for screen capture protection, depending on the
version of Windows you're using:

Block screen capture on client: the session host instructs a supported Remote
Desktop client to enable screen capture protection for a remote session. This
option prevents screen capture from the client of applications running in the
remote session.

Block screen capture on client and server: the session host instructs a supported
Remote Desktop client to enable screen capture protection for a remote session.
This option prevents screen capture from the client of applications running in the
remote session, but also prevents tools and services within the session host from
capturing the screen.

When screen capture protection is enabled, users can't share their Remote Desktop
window using local collaboration software, such as Microsoft Teams. With Teams, neither
the local Teams app or using Teams with media optimization can share protected
content.

 Tip

To increase the security of your sensitive information, you should also disable
clipboard, drive, and printer redirection. Disabling redirection helps prevent
users from copying content from the remote session. To learn about
supported redirection values, see Device redirection.
 To discourage other methods of screen capture, such as taking a photo of a
screen with a physical camera, you can enable watermarking, where admins
can use a QR code to trace the session.

Prerequisites
Your session hosts must be running one of the following versions of Windows to
use screen capture protection:
Block screen capture on client is available with a supported version of Windows
10 or Windows 11.
Block screen capture on client and server is available starting with Windows 11,
version 22H2.

Users must connect to Azure Virtual Desktop with Windows App or the Remote
Desktop app to use screen capture protection. The following table shows
supported scenarios. If a user tries to connect with a different app or version, the
connection is denied and shows an error message with the code 0x1151 .

ﾉ Expand table

App Version Desktop RemoteApp session

session

Windows App on Any Yes Yes. Client device OS must be

Windows Windows 11, version 22H2 or later.

Remote Desktop 1.2.1672 or Yes Yes. Client device OS must be

client on Windows later Windows 11, version 22H2 or later.

Azure Virtual Desktop Any Yes Yes. Client device OS must be

Store app Windows 11, version 22H2 or later.

Windows App on Any Yes Yes

macOS

Remote Desktop 10.7.0 or Yes Yes

client on macOS later

To configure Microsoft Intune, you need:

Microsoft Entra ID account that is assigned the Policy and Profile manager built-
in RBAC role.

A group containing the devices you want to configure.

 To configure Group Policy, you need:

A domain account that is a member of the Domain Admins security group.

A security group or organizational unit (OU) containing the devices you want to
configure.

Enable screen capture protection

Screen capture protection is configured on session hosts and enforced by the client.
Select the relevant tab for your scenario.

Microsoft Intune

To configure screen capture protection using Microsoft Intune:

1. Sign in to the Microsoft Intune admin center .

2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.

3. In the settings picker, browse to Administrative templates > Windows

Components > Remote Desktop Services > Remote Desktop Session Host >
Azure Virtual Desktop.
 

4. Check the box for Enable screen capture protection, then close the settings
picker.

5. Expand the Administrative templates category, then toggle the switch for
Enable screen capture protection to Enabled.


 6. Toggle the switch for Screen Capture Protection Options (Device) to off for
Block screen capture on client, or on for Block screen capture on client and
server based on your requirements, then select OK.

7. Select Next.

8. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.

9. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.

10. On the Review + create tab, review the settings, then select Create.

11. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.

Verify screen capture protection

To verify screen capture protection is working:

1. Connect to a remote session with a supported client.

2. Take a screenshot or share your screen in a Teams call or meeting. The content
should be blocked or hidden. Any existing sessions need to sign out and back in
again for the change to take effect.

Related content
Enable watermarking, where admins can use a QR code to trace the session.

Learn about how to secure your Azure Virtual Desktop deployment at Security best
practices.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Watermarking in Azure Virtual Desktop
Article • 10/08/2024

Watermarking, alongside screen capture protection, helps prevent sensitive information

from being captured on client endpoints. When you enable watermarking, QR code
watermarks appear as part of remote desktops. The QR code contains the Connection ID
or Device ID of a remote session that admins can use to trace the session. Watermarking
is configured on session hosts using Microsoft Intune or Group Policy, and enforced by
Windows App or the Remote Desktop client.

Here's a screenshot showing what watermarking looks like when it's enabled:

） Important

Once watermarking is enabled on a session host, only clients that support

watermarking can connect to that session host. If you try to connect from an
unsupported client, the connection will fail and you'll get an error message
that is not specific.

Watermarking is for remote desktops only. With RemoteApp, watermarking is

not applied and the connection is allowed.
 If you connect to a session host directly (not through Azure Virtual Desktop)
using the Remote Desktop Connection app ( mstsc.exe ), watermarking is not
applied and the connection is allowed.

Prerequisites
You'll need the following things before you can use watermarking:

An existing host pool with session hosts.

A Microsoft Entra ID account that is assigned the Desktop Virtualization Host Pool
Contributor built-in role-based access control (RBAC) roles on the host pool as a
minimum.

A client that supports watermarking. The following clients support watermarking:

Remote Desktop client for:

Windows Desktop, version 1.2.3317 or later, on Windows 10 and later.
Web browser.
macOS, version 10.9.5 or later.
iOS/iPadOS, version 10.5.4 or later.

Windows App for:

Windows
macOS
iOS and iPadOS
Android/Chrome OS (preview)
Web browser

Azure Virtual Desktop Insights configured for your environment.

If you manage your session hosts with Microsoft Intune, you need:

Microsoft Entra ID account that is assigned the Policy and Profile manager built-
in RBAC role.

A group containing the devices you want to configure.

If you manage your session hosts with Group Policy in an Active Directory domain,
you need:

A domain account that is a member of the Domain Admins security group.

 A security group or organizational unit (OU) containing the session hosts you
want to configure.

Enable watermarking
Select the relevant tab for your scenario.

Microsoft Intune

To enable watermarking using Microsoft Intune:

1. Sign in to the Microsoft Intune admin center .

2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.

3. In the settings picker, browse to Administrative templates > Windows

Components > Remote Desktop Services > Remote Desktop Session Host >
Azure Virtual Desktop.

4. Check the box for Enable watermarking, then close the settings picker.
 ） Important

Don't select [Deprecated] Enable watermarking as this setting doesn't

include the option to specify the QR code embedded content.

5. Expand the Administrative templates category, then toggle the switch for
Enable watermarking to Enabled.

6. You can configure the following options:

ﾉ Expand table

Option Values Description

QR code bitmap 1 to 10 The size in pixels of each QR code dot. This

scale factor (default = 4) value determines how many the number of
squares per dot in the QR code.

QR code bitmap 100 to 9999 How transparent the watermark is, where 100
opacity (default = is fully transparent.
 Option Values Description

2000)

Width of grid box 100 to 1000 Determines the distance between the QR
in percent relevant (default = codes in percent. When combined with the
to QR code bitmap 320) height, a value of 100 would make the QR
width codes appear side-by-side and fill the entire
screen.

Height of grid box 100 to 1000 Determines the distance between the QR
in percent relevant (default = codes in percent. When combined with the
to QR code bitmap 180) width, a value of 100 would make the QR
width codes appear side-by-side and fill the entire
screen.

QR code Connection ID Specify whether the Connection ID or Device ID

embedded content (default) should be used in the QR code. Only select
Device ID Device ID with session hosts that are in a
personal host pool and joined to Microsoft
Entra ID or Microsoft Entra hybrid joined.

 Tip

We recommend trying out different opacity values to find a balance

between the readability of the remote session and being able to scan the
QR code, but keeping the default values for the other parameters.

7. Select Next.

8. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.

9. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.

10. On the Review + create tab, review the settings, then select Create.

11. Sync your session hosts with Intune for the settings to take effect.

Find session information

Once you've enabled watermarking, you can find the session information from the QR
code by using Azure Virtual Desktop Insights or querying Azure Monitor Log Analytics.

Azure Virtual Desktop Insights

To find out the session information from the QR code by using Azure Virtual Desktop
Insights:

1. Open a web browser and go to https://aka.ms/avdi to open Azure Virtual

Desktop Insights. Sign-in using your Azure credentials when prompted.

2. Select the relevant subscription, resource group, host pool and time range, then
select the Connection Diagnostics tab.

3. In the section Success rate of (re)establishing a connection (% of connections),

there's a list of all connections showing First attempt, Connection Id, User, and
Attempts. You can look for the connection ID from the QR code in this list, or
export to Excel.

Azure Monitor Log Analytics

To find out the session information from the QR code by querying Azure Monitor Log
Analytics:

1. Sign in to the Azure portal .

2. In the search bar, type Log Analytics workspaces and select the matching service
entry.

3. Select to open the Log Analytics workspace that is connected to your Azure Virtual
Desktop environment.

4. Under General, select Logs.

5. Start a new query, then run the following query to get session information for a
specific connection ID (represented as CorrelationId in Log Analytics), replacing
<connection ID> with the full or partial value from the QR code:

Kusto

WVDConnections
| where CorrelationId contains "<connection ID>"
Related content
Enable screen capture protection in Azure Virtual Desktop.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Onboard Azure Virtual Desktop session
hosts to forensic evidence from
Microsoft Purview Insider Risk
Management
Article • 08/13/2024

Forensic evidence is an opt-in add-on feature in Microsoft Purview Insider Risk

Management that gives security teams visual insights into potential insider data security
incidents. Forensic evidence includes customizable event triggers and built-in user
privacy protection controls, enabling security teams to better investigate, understand
and respond to potential insider data risks like unauthorized data exfiltration of sensitive
data.

You set the right policies for your organization, including what risky events are the
highest priority for capturing forensic evidence, what data is most sensitive, and whether
users are notified when forensic capturing is activated.

When using Azure Virtual Desktop with forensic evidence, you can set policies to trigger
recordings of desktop and RemoteApp sessions automatically. Forensic evidence
capturing is off by default and policy creation requires dual authorization.

Prerequisites
Before you can use forensic evidence for Azure Virtual Desktop, you need:

A personal desktop host pool with direct assignment. Pooled host pools aren't
supported.

Session hosts running Windows 11 Enterprise, version 23H2, and using a VM SKU
with minimum of 8 vCPU and 16 GB memory, such as Standard D8as v5.

Session hosts must be Microsoft Entra ID-joined or Entra ID hybrid-joined and

enrolled with Microsoft Intune.

Microsoft 365 E5 license, which contains both Intune and Insider Risk Management
licenses.

Onboard session hosts to forensic evidence

To onboard your session hosts to forensic evidence:

1. Ensure a user is assigned to a personal desktop using direct assignment. Follow the
steps in Configure direct assignment to assign a user to a personal desktop.

2. You need to onboard your session hosts to Purview. Follow the steps in Onboard
Windows devices into Microsoft Purview to onboard your session hosts.

3. Install the Purview client and configure forensic evidence. Follow the steps in Get
started with insider risk management forensic evidence to install the Purview client
and configure forensic evidence.

Related content
Manage insider risk management forensic evidence

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Enroll in per-user access pricing for
Azure Virtual Desktop
Article • 01/10/2024

Per-user access pricing lets you pay for Azure Virtual Desktop access rights on behalf of
external users. External users aren't members of your organization, such as customers of
a business. To learn more about licensing options, see Licensing Azure Virtual Desktop.

Before external users can connect to your deployment, you need to enroll your Azure
subscriptions that you use for Azure Virtual Desktop in per-user access pricing. Your
enrolled subscription is charged each month based on the number of distinct users that
connect to Azure Virtual Desktop resources. All Azure subscriptions are applicable, such
as those from an Enterprise Agreement (EA), Cloud Solution Provider (CSP), or Microsoft
Customer Agreement.

） Important

Per-user access pricing with Azure Virtual Desktop doesn't currently support Citrix
DaaS and VMware Horizon Cloud.

How to enroll an Azure subscription

To enroll your Azure subscription into per-user access pricing:

1. Sign in to the Azure portal .

2. In the search bar, type Azure Virtual Desktop and select the matching service
entry.

3. In the Azure Virtual Desktop overview page, select Per-user access pricing.

4. In the list of subscriptions, check the box for the subscription where you deploy
Azure Virtual Desktop resources for external users.

5. Select Enroll.

6. Review the Product Terms, then select Enroll to begin enrollment. It might take up
to an hour for the enrollment process to finish. The Per-user access pricing column
of the subscriptions list shows Enrolling while the enrollment process is running.
 7. After enrollment completes, check the value in the Per-user access pricing column
of the subscriptions list changes to Enrolled.

How to unenroll an Azure subscription

To enroll your Azure subscription from per-user access pricing:

1. Sign in to the Azure portal .

2. In the search bar, type Azure Virtual Desktop and select the matching service
entry.

3. In the Azure Virtual Desktop overview page, select Per-user access pricing.

4. In the list of subscriptions, check the box for the subscription you want to unenroll
from per-user access pricing.

5. Select Unenroll.

6. Review the unenrollment message, then select Unenroll to begin unenrollment. It

might take up to an hour for the unenrollment process to finish. The Per-user
access pricing column of the subscriptions list shows Unenrolling while the
unenrollment process is running.

7. After unenrollment completes, check the value in the Per-user access pricing
column of the subscriptions list changes to Not enrolled.

Next steps
To learn more about per-user access pricing, see Licensing Azure Virtual Desktop.
For estimating total deployment costs, see Understand and estimate costs for
Azure Virtual Desktop.
Apply Windows license to session host
virtual machines
Article • 03/10/2023

Customers who are properly licensed to run Azure Virtual Desktop workloads are
eligible to apply a Windows license to their session host virtual machines and run them
without paying for another license. For more information, see Azure Virtual Desktop
pricing .

Ways to apply an Azure Virtual Desktop license

Azure Virtual Desktop licensing allows you to apply a license to any Windows or
Windows Server virtual machine (VM) that's registered as a session host in a host pool
and receives user connections. This license doesn't apply to virtual machines running as
file share servers, domain controllers, and so on.

You can apply an Azure Virtual Desktop license to your VMs with the following methods:

You can create a host pool and its session host virtual machines in the Azure
portal. Creating VMs in the Azure portal automatically applies the license.
You can create a host pool and its session host virtual machines using the GitHub
Azure Resource Manager template . Creating VMs with this method automatically
applies the license.
You can manually apply a license to an existing session host virtual machine. To
apply the license this way, first follow the instructions in Create a host pool with
PowerShell or the Azure CLI to create a host pool and associated VMs, then return
to this article to learn how to apply the license.

Manually apply a Windows license to a

Windows client session host VM

７ Note

The directions in this section apply to Windows client VMs, not Windows Server
VMs.

Before you start, make sure you've installed and configured the latest version of Azure
PowerShell.
Next, run the following PowerShell cmdlet to apply the Windows license:

PowerShell

$vm = Get-AzVM -ResourceGroup <resourceGroupName> -Name <vmName>

$vm.LicenseType = "Windows_Client"
Update-AzVM -ResourceGroupName <resourceGroupName> -VM $vm

Verify your session host VM is utilizing the

licensing benefit
After deploying your VM, run this cmdlet to verify the license type:

PowerShell

Get-AzVM -ResourceGroupName <resourceGroupName> -Name <vmName>

A session host VM with the applied Windows license will show you something like this:

PowerShell

Type : Microsoft.Compute/virtualMachines
Location : westus
LicenseType : Windows_Client

VMs without the applied Windows license will show you something like this:

PowerShell

Type : Microsoft.Compute/virtualMachines
Location : westus
LicenseType :

Run the following cmdlet to see a list of all session host VMs that have the Windows
license applied in your Azure subscription:

PowerShell

$vms = Get-AzVM
$vms | Where-Object {$_.LicenseType -like "Windows_Client"} | Select-Object
ResourceGroupName, Name, LicenseType
Using Windows Server as session hosts
If you deploy Windows Server as session hosts in Azure Virtual Desktop, a Remote
Desktop Services license server must be accessible from those virtual machines. The
Remote Desktop Services license server can be located on-premises or in Azure, as long
as there is network connectivity between the session hosts and license server. For more
information, see Activate the Remote Desktop Services license server.

Known limitations
If you create a Windows Server session host using the Azure Virtual Desktop host pool
creation process, the process might automatically assign it an incorrect license type. To
change the license type using PowerShell, follow the instructions in Convert an existing
VM using Azure Hybrid Benefit for Windows Server.
Azure Virtual Desktop business
continuity and disaster recovery
concepts
Article • 06/28/2024

Many users now work remotely, so organizations require solutions with high availability,
rapid deployment speed, and reduced costs. Users also need to have a remote work
environment with guaranteed availability and resiliency that lets them access their
resources even during disasters.

To prevent system outages or downtime, every system and component in your Azure
Virtual Desktop deployment must be fault-tolerant. Fault tolerance is when you have a
duplicate configuration or system in another Azure region that takes over for the main
configuration during an outage. This secondary configuration or system reduces the
impact of a localized outage. There are many ways you can set up fault tolerance, but
this article focuses on the methods currently available in Azure for dealing with business
continuity and disaster recovery (BCDR).

Responsibility for components that make up Azure Virtual Desktop are divided between
those components that are Microsoft-managed, and those components that are
customer-managed, or partner managed.

The following components are customer-managed or partner-managed:

Session host virtual machines

Profile management, usually with FSLogix
Applications
User data
User identities

To learn about the Microsoft-managed components and how they're designed to be

resilient, see Azure Virtual Desktop service architecture and resilience.

Business continuity and disaster recovery

basics
When you design a disaster recovery plan, you should keep the following three things in
mind:
 High availability: distributed infrastructure so smaller, more localized outages don't
interrupt your entire deployment. Designing with high availability in mind can
minimize outage impact and avoid the need for a full disaster recovery.
Business continuity: how an organization can keep operating during outages of
any size.
Disaster recovery: the process of getting back to operation after a full outage.

Azure Virtual Desktop doesn't have any native features for managing disaster recovery
scenarios, but you can use many other Azure services for each scenario depending on
your requirements, such as Availability sets, availability zones, Azure Site Recovery, and
Azure Files data redundancy options for user profiles and data.

You can also distribute session hosts across multiple Azure regions provides even more
geographical distribution, which further reduces outage impact. All these and other
Azure features provide a certain level of protection within Azure Virtual Desktop, and
you should carefully consider them along with any cost implications.

We have further documentation that goes into much more detail about each of the
technology areas you need to consider as part of your business continuity and disaster
recovery strategy and how to plan for and mitigate disruption to your organization
based on your requirements. The following table lists the technology areas you need to
consider as part of your disaster recovery strategy and links to other Microsoft
documentation that provides guidance for each area:

ﾉ Expand table

Technology area Documentation link

Active-passive vs active-active plans Active-Active vs. Active-Passive

Session host resiliency Multiregion Business Continuity and Disaster Recovery

Disaster recovery plans Multiregion Business Continuity and Disaster Recovery

Azure Site Recovery Failover and failback

Network connectivity Multiregion Business Continuity and Disaster Recovery

User profiles Design recommendations

Files share storage Storage

Identity provider Identity

Backup Backup
Related content
For more in-depth information about disaster recovery in Azure, check out these articles:

Cloud Adoption Framework: Azure Virtual Desktop business continuity and disaster
recovery documentation

Azure Architecture Center: Multiregion Business Continuity and Disaster Recovery

(BCDR) for Azure Virtual Desktop

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Use Azure CLI and Azure PowerShell
with Azure Virtual Desktop
Article • 01/08/2024

There's an Azure CLI extension and an Azure PowerShell module for Azure Virtual
Desktop that you can use to create, update, delete, and interact with Azure Virtual
Desktop service objects as alternatives to using the Azure portal. They're part of Azure
CLI and Azure PowerShell, which cover a wide range of Azure services.

This article explains how you can use the Azure CLI extension and an Azure PowerShell
module, and provides some useful example commands.

Azure CLI extension and Azure PowerShell

module
Here are the names of the Azure CLI extension and Azure PowerShell module, and links
to our reference documentation:

Azure CLI: az desktopvirtualization

Azure PowerShell: Az.DesktopVirtualization

Both Azure CLI and Azure PowerShell are available to use in the Azure Cloud Shell
natively in the Azure portal with no installation, or you can install them locally on your
device for Windows, macOS, and Linux.

To learn how to install Azure CLI and Azure PowerShell across all supported platforms,
see the following links:

Azure CLI: How to install the Azure CLI

Azure PowerShell: Install the Azure Az PowerShell module

Example commands
Here are some example commands you can use to get information and values about
your Azure Virtual Desktop resources you might find useful. Select the relevant tab for
your scenario.

Azure CLI
 ） Important

In the following examples, you'll need to change the <placeholder> values for
your own.

Available Azure regions

When creating Azure Virtual Desktop service objects using any of the CLI
commands that contain create , you need to specify the Azure region you want to
create them in. To find the name of the Azure region to use with the --location
parameter, run the following command and use a value from the Location column:

Azure PowerShell

az account list-locations --query "sort_by([].{DisplayName:displayName,

Location:name}, &Location)" -o table

Retrieve the object ID of a host pool, workspace,

application group, or application
To retrieve the object ID of a host pool, run the following command:

Azure CLI

az desktopvirtualization hostpool show \

--name <Name> \
--resource-group <ResourceGroupName> \
--query objectId
--output tsv

To retrieve the object ID of a workspace, run the following command:

Azure CLI

az desktopvirtualization workspace show \

--name <Name> \
--resource-group <ResourceGroupName> \
--query objectId
--output tsv

To retrieve the object ID of an application group, run the following command:

 Azure CLI

az desktopvirtualization applicationgroup show \

--name <Name> \
--resource-group <ResourceGroupName> \
--query objectId
--output tsv

 Tip

The Azure CLI extension for Azure Virtual Desktop doesn't have commands for
applications. Use Azure PowerShell instead.

Next steps
Now that you know how to use Azure CLI and Azure PowerShell with Azure Virtual
Desktop, here are some articles that use them:

Create an Azure Virtual Desktop host pool with PowerShell or the Azure CLI
Manage application groups using PowerShell or the Azure CLI
For the full PowerShell reference documentation, see Az.DesktopVirtualization.
Move Azure Virtual Desktop resource
between regions
Article • 04/14/2023

In this article, we'll tell you how to move Azure Virtual Desktop resources between Azure
regions.

７ Note

This process doesn't perform an actual resource move. Instead, you delete the old
resources and recreate them in the region you want to move the resources to. We
recommend you test this process before using it on production workloads to
understand how it will impact your deployment.

The information in this article applies to all Azure Virtual Desktop resources,
including host pools, application groups, scaling plans, and workspaces.

Important information
When you move Azure Virtual Desktop resources between regions, these are some
things you should keep in mind:

When exporting resources, you must move them as a set. All resources associated
with a specific host pool have to stay together. A host pool and its associated
application groups need to be in the same region.

Workspaces and their associated application groups also need to be in the same
region.

Scaling plans and the host pools they are assigned to also need to be in the same
region.

All resources to be moved have to be in the same resource group. Template

exports require having resources in the same group, so if you want them to be in a
different location, you'll need to modify the exported template to change the
location of its resources.

Once you're done moving your resources to a new region, you must delete the
original resources. The resource ID of your resources won't change during the
 moving process, so there will be a name conflict with your old resources if you
don't delete them.

Existing session hosts attached to a host pool that you move will stop working.
You'll need to recreate the session hosts in the new region.

Export a template
The first step to move your resources is to create a template that contains everything
you want to move to the new region.

To export a template:

1. In the Azure portal, go to Resource Groups, then select the resource group that
contains the resources you want to move.

2. Once you've selected the resource group, go to Overview > Resources and select
all the resources you want to move.

3. Select the ... button in the upper right-hand corner of the Resources tab. Once the
drop-down menu opens, select Export template.

4. Select Download to download a local copy of the generated template.

5. Right-click the zip file and select Extract All.

Modify the exported template

Next, you'll need to modify the template to include the region you're moving your
resources to.

To modify the template you exported:

1. Open the template.json file you extracted from the zip folder and a text editor of
your choice, such as Notepad.

2. In each resource inside the template file, find the "location" property and modify it
to the location you want to move them to. For example, if your deployment's
currently in the East US region but you want to move it to the West US region,
you'd change the "eastus" location to "westus." Learn more about which Azure
regions you can use at Azure geographies .

3. If you are moving a host pool, remove the "publicNetworkAccess" parameter, if

present.
Delete original resources
Once you have the template ready, you'll need to delete the original resources to
prevent name conflicts.

To delete the original resources:

1. Go back to the Resources tab mentioned in Export a template and select all the
resources you exported to the template.

2. Next, select the ... button again, then select Delete from the drop-down menu.

3. If you see a message asking you to confirm the deletion, select Confirm.

4. Wait a few minutes for the resources to finish deleting. Once you're done, they
should disappear from the resource list.

Deploy the modified template

Finally, you'll need to deploy your modified template in the new region.

To deploy the template:

1. In the Azure portal, search for and select Deploy a custom template.

2. In the custom deployment menu, select Build your own template in the editor.

3. Next, select Load file and upload your modified template file.

７ Note

Make sure to upload the template.json file, not the parameters.json file.

4. When you're done uploading the template, select Save.

5. In the next menu, select Review + create.

6. Under Instance details, make sure the Region shows the region you changed the
location to in Modify the exported template. If not, select the correct region from
the drop-down menu.

7. If everything looks correct, select Create.

8. Wait a few minutes for the template to deploy. Once it's finished, the resources
should appear in your resource list.
Next steps
Find out which Azure regions are currently available at Azure Geographies .

See our Azure Resource Manager templates for Azure Virtual Desktop for more
templates you can use in your deployments after you move your resources.
Set up email discovery to subscribe to
your RDS feed
Article • 07/03/2024

Have you ever had trouble getting your end users connected to their published RDS
feed, either because of a single missing character in the feed URL or because they lost
the email with the URL? Nearly all Remote Desktop client applications support finding
your subscription by entering your email address, making it easier than ever to get your
users connected to their RemoteApps and desktops.

Before you set up email discovery, do the following:

Make sure you have permission to add a TXT record to the domain associated with
your email (for example, if your users have @contoso.com email addresses, you
would need permissions for the contoso.com domain)
Create an RD Web feed URL (https://<rdweb-dns-
name>.domain/RDWeb/Feed/webfeed.aspx, such as
https://rdweb.contoso.com/RDWeb/Feed/webfeed.aspx )

７ Note

If you're using Azure Virtual Desktop instead of Remote Desktop, you'll want to use
these URLs instead:

If you're using Azure Virtual Desktop (classic):

https://rdweb.wvd.microsoft.com/api/feeddiscovery/webfeeddiscovery.aspx
If you're using Azure Virtual Desktop:
https://rdweb.wvd.microsoft.com/api/arm/feeddiscovery

Now, follow these steps to set up email discovery:

1. In your browser, connect to the website of the domain name registrar where your
domain is registered.

2. Navigate to the appropriate page for your registered domain where you can view,
add, and edit DNS records.

3. Enter a new DNS record with the following properties:

Host: _msradc
Text: <RD Web Feed URL>
 TTL: 300 seconds

The names of the DNS records fields vary by domain name registrar, but this
process will result in a TXT record named _msradc.<domain_name> (such as
_msradc.contoso.com) that has a value of the full RD Web feed.

That's it! Now, launch the Remote Desktop application on your device and subscribe
yourself!

Feedback
Was this page helpful?  Yes  No
Tag Azure Virtual Desktop resources to
manage costs
Article • 08/10/2022

Tagging is a tool available across Azure services that helps you organize resources inside
their Azure subscription. Organizing resources makes it easier to track costs across
multiple services. Tags also help you understand how much each grouping of Azure
resources costs per billing cycle. If you'd like to learn more about tagging in general, see
Use tags to organize your Azure resources and management hierarchy. You can also
watch a quick video about some other ways to use Azure tags.

How tagging works

You can tag Azure services you manage in the Azure portal or through PowerShell. The
tags will appear as key-value pairs of text. As you use tagged Azure resources, the
associated tag key-value pair will be attached to the resource usage.

Once your deployment reports tagged usage information to Azure Cost Management,
you can use your tagging structure to filter cost data. To learn how to filter by tags in
Azure Cost Management, see Quickstart: Explore and analyze costs with cost analysis.

Add, edit, or delete tags

When you apply a new tag to a resource, it won't be visible in Azure Cost Management
until its associated Azure resource reports activity. If you apply an existing tag to your
resources, this change also won't be visible in Azure Cost Management until the Azure
resources report activity.

If you edit a tag name, the associated resources will now associate costs with its new
key-value pair. You can still filter data with the old tag, but all new data from after the
change will be reported with the new tag.

If you delete a tag, Azure Virtual Desktop will no longer report data associated with the
deleted tag to Azure Cost Management. You can still filter with deleted tags for data
reported before you deleted the tag.

） Important

Tagged Azure resources that haven't been active since you applied new or updated
tags to them won't report any activity associated with the changed tags to Azure
 Cost Management. You won't be able to filter for specific tags until their associated
activity is reported to Azure Cost Management by the service.

View all existing tags

You can view all existing tags for your Azure services by going to the Azure portal, then
opening the Tags tab . The Tags tab will show you all tags in objects you have access
to. You can also sort tags by their keys or values whenever you need to quickly update a
large number of tags at the same time.

What tags can and can't do

Tags only report usage and cost data for Azure resources they're directly assigned to. If
you've tagged a resource without tagging the other resources in it, then Azure Virtual
Desktop will only report activity related to the top-level tagged resource. You'll also
need to tag every resource under that top-level resource if you want your billing data to
be accurate.

To learn more about how tags work in Azure Cost Management, see How tags are used
in cost and usage data.

For a list of known Azure tag limitations, see Use tags to organize your Azure resources
and management hierarchy.

Using tags in Azure Virtual Desktop

Now that you understand the basics of Azure tags, let’s go over how you can use them
in Azure Virtual Desktop.

You can use Azure tags to organize costs for creating, managing, and deploying
virtualized experiences for your customers and users. Tagging can also help you track
resources you buy directly through Azure Virtual Desktop and other Azure services
connected to Azure Virtual Desktop deployments.

Suggested tags for Azure Virtual Desktop

Because Azure Virtual Desktop can work with other Azure services to support its
deployments, there isn't a universal system for tagging deployment resources. What's
most important is that you develop a strategy that works for you and your organization.
However, we do have some suggestions that might help you, especially if you're new to
using Azure.

The following suggestions apply to all Azure Virtual Desktop deployments:

Become familiar with your purchased Azure services so you understand the extent
of what you want to tag. As you learn how to use the Azure portal, keep a list of
service groups and objects where you can apply tags. Some resources that you
should keep track of include resource groups, virtual machines, disks, and network
interface cards (NICs). For a more comprehensive list of cost generating service
components you can tag, see Understanding total Azure Virtual Desktop
deployment costs.

Create a cost reporting aggregation to organize your tags. You can either follow a
common tagging pattern or create a new pattern that meets your organization’s
needs.

Keep your tags consistent wherever you apply them. Even the smallest typo can
impact data reporting, so make sure you're adding the exact key-value pair you
want to look up later.

Keep a record of any tags you update or edit. This record will let you combine each
tag's historic data as needed. When you edit or update a tag, you should also
apply those changes across all resources that include the changed tag.

Suggested tags for Azure Virtual Desktop host

pools
Every virtual machine in an Azure Virtual Desktop host pool creates a cost-producing
construct. Because host pools are the foundation of an Azure Virtual Desktop
deployment, their VMs are typically the main source of costs for Azure Virtual Desktop
deployments. If you want to set up a tagging system, we recommend that you start with
tagging all the host pools in your deployment to track VM compute costs. Tagging your
host pools can help you use filtering in Azure Cost Management to identify these VM
costs.

Like with the general suggestions, there's no universal system for tagging host pools.
However, we do have a few suggestions to help you organize your host pool tags:

Tagging host pools while you're creating them is optional, but tagging during the
creation process will make it easier for you to view all tagged usage in Azure Cost
Management later. Your host pool tags will follow all cost-generating components
 of the session hosts within your host pool. Learn more about session host-specific
costs at Understanding total Azure Virtual Desktop deployment costs.

If you use the Azure portal to create a new host pool, the creation workflow will
give you the chance to add existing tags. These tags will be passed along to all
resources you create during the host pool creation process. Tags will also be
applied to any session hosts you add to an existing host pool in the Azure portal.
However, you'll need to enter the tags manually every time you add a new session
host.

It's unlikely you'll ever get a complete cost report of every supporting Azure
service working with your host pools, since configuration options are both limitless
and unique to each customer. It's up to you to decide how closely you want to
track costs across any Azure services associated with your Azure Virtual Desktop
deployment. The more thoroughly you track these costs by tagging, the more
accurate your monthly Azure Virtual Desktop cost report will become.

If you build your tagging system around your host pools, make sure to use key-
value pairs that make sense to add to other Azure services later.

Use the cm-resource-parent tag to automatically group

costs by host pool
You can group costs by host pool by using the cm-resource-parent tag. This tag won't
impact billing but will let you review tagged costs in Microsoft Cost Management
without having to use filters. The key for this tag is cm-resource-parent and its value is
the resource ID of the Azure resource you want to group costs by. For example, you can
group costs by host pool by entering the host pool resource ID as the value. To learn
more about how to use this tag, see Group related resources in the cost analysis
(preview).

Suggested tags for other Azure Virtual Desktop

resources
Most Azure Virtual Desktop customers deploy other Azure services to support their
deployments. If you want to include the cost of these extra services in your cost report,
you should consider the following suggestions:

If you've already purchased an Azure service or resources that you want to

integrate into your Azure Virtual Desktop deployments, you have two options:
Separate your purchased Azure services between different Azure subscriptions.
 Combine all purchased Azure services in the same subscription with your Azure
Virtual Desktop tags.

Separating your services will give you a clearer idea of costs for each service, but
may end up being more expensive in the end. You may need to purchase extra
storage for these services to make sure your Azure Virtual Desktop has its own
designated storage.

Combining your purchased services is less expensive, but may inflate your cost
report because the usage data for shared resources won't be as accurate. To make
up for the lack of accuracy, you can add multiple tags to your resources to see
shared costs through filters that track different factors.

If you started building your tagging system with a different Azure service, make
sure the key-value pairs you create can be applied to your Azure Virtual Desktop
deployment or other services later.

Next steps
If you’d like to learn more about common Azure Virtual Desktop related costs, check out
Understanding total Azure Virtual Desktop deployment costs.

If you’d like to learn more about Azure tags, check out the following resources:

Use tags to organize your Azure resources and management hierarchy

A video explaining the value of using Azure tags

How tags are used in cost and usage data

Develop your naming and tagging strategy for Azure resources

Define your tagging strategy

Resource naming and tagging decision guide

If you’d like to learn more about Azure Cost Management, check out the following
articles:

What is Azure Cost Management + Billing?

Quickstart: Explore and analyze costs with cost analysis

What is Windows App?
Article • 09/20/2024

Windows App is your gateway to Azure Virtual Desktop, Windows 365, Microsoft Dev
Box, Remote Desktop Services, and remote PCs, securely connecting you to Windows
devices and apps.

You can use Windows App on many different types of devices on different platforms and
form factors, such as desktops and laptops, tablets, smartphones, and through a web
browser. When using a web browser on a desktop or laptop, you can connect without
having to download and install any software.

Windows App is available for the following platforms:

Windows
macOS
iOS/iPadOS
Android/Chrome OS (preview)
Web browsers

Introductory video
Learn about Windows App in this video:
https://www.youtube-nocookie.com/embed/j0XU59VbKOc

What can you do with Windows App?

Windows App is designed with a customizable home screen to cater to your unique
workflow needs. You can access Windows across multiple different services and remote
PCs from a single place, and pin your favorites you access most. And if you use multiple
accounts, you can easily switch between them with our easy account switching feature.

There are many features to enhance your remote experience, such as:

Multiple monitor support.

Custom display resolutions.
Dynamic display resolutions and scaling.
Device redirection, such as webcams, audio, storage devices, and printers.
Microsoft Teams optimizations.
Sign in with multiple accounts and easily switch between them.

How can I get Windows App?

To learn how to download and install Windows App on your device, then connect to
your Windows devices and apps, use the following link.

Get started with Windows App

Feedback
Was this page helpful?  Yes  No
Get started with Windows App to
connect to desktops and apps
Article • 11/27/2024

 Tip

This article is shared across different services and products. Select what you want to
connect to using the buttons at the top of this article.

Windows App securely connects you to Windows desktops and apps on a device of your
choice from:

Azure Virtual Desktop

Windows 365
Microsoft Dev Box
Remote Desktop Services
Remote PC

Windows App is available for:

Windows
macOS
iOS/iPadOS
Android/Chrome OS (preview)
Web browsers

To learn more about Windows App, see What is Windows App?

The following table shows what services and products you can connect to from different
platforms:

ﾉ Expand table

Connect to Windows macOS iOS/ Android/ Web

iPadOS Chrome OS browser

Azure Virtual Desktop ✅ ✅ ✅ ✅ ✅

Windows 365 ✅ ✅ ✅ ✅ ✅

Microsoft Dev Box ✅ ✅ ✅ ✅ ✅

 Connect to Windows macOS iOS/ Android/ Web
iPadOS Chrome OS browser

Remote Desktop Services ❌¹ ✅ ✅ ✅ ❌

Remote PC ❌² ✅ ✅ ✅ ❌

1. To connect to Remote Desktop Services on Windows, continue to use the Remote

Desktop app on Windows.
2. To connect to a remote PC on Windows, continue to use the Remote Desktop
Connection app that comes with Windows (also known as MSTSC).

This article shows you how to get started with Windows App on each platform. Make
sure you select what you want to connect to using the buttons at the top of this article
before continuing.

Prerequisites
Select a tab for the platform you're using.

Windows

Before you can download Windows App and connect to your desktops and apps
from Windows, you need:

Internet access to download Windows App from the Microsoft Store and
connect to Azure Virtual Desktop. Most networks don't block access to the
internet, but if your network does, you need to allow access to the list at
Required FQDNs and endpoints for Azure Virtual Desktop. Contact your
network administrator if you need help.

Your user account for Azure Virtual Desktop, and you're assigned devices or
apps by your administrator. You can also sign in with multiple accounts and
easily switch between them.

A device running a supported version of:

Windows 11 (x64 or Arm64).
Windows 10 (x64 or Arm64).

Connect to your desktops and apps

Select a tab for the platform you're using.

Windows

To connect to your desktops and apps from Azure Virtual Desktop on Windows,
follow these steps:

1. Download and install Windows App from the Microsoft Store . When
Windows App is installed, open it.

2. Select Sign in and sign in with your user account for Azure Virtual Desktop. If
you're signed in to your local Windows device with a work or school account
on a managed device, you're signed in automatically.

3. If it's your first time using Windows App, navigate through the tour to learn
more about Windows App, then select Done, or select Skip.
 

4. After you sign in, select the Devices tab or Apps tab to show your remote
resources from Azure Virtual Desktop and any other services you have access
to. Tabs are hidden if you don't have that type of resource assigned to you. If
you don't see any devices or apps, contact your administrator.

5. Find the device or app you want to connect to. You can use the search box
and filters to help you.
 

6. Select Connect on a device, or select an app to connect. You might be

prompted to enter the password for your user account again, depending on
how your administrator configures Azure Virtual Desktop.

7. Once the connection to your device or app is complete, you're ready to start
using it.

 Tip

You can pin your favorite desktops and apps to the Favorites tab for
quick access. To learn more, see Device and app actions in Windows
App.

For administrators: you can also download Windows App for Windows
outside of the Microsoft Store as a .msix installer from What's new in
Windows App.

Provide feedback
You can provide feedback about Windows App using Feedback Hub , which is
installed on Windows by default, whether you want to make a suggestion or report
a problem.

To easily provide feedback:

1. Open Windows App.

 2. Select the Feedback tab. Feedback Hub automatically opens and shows all
feedback provided for Windows App on Windows. You need to be signed in to
Feedback Hub to provide feedback.

3. Select Give new feedback, then complete the form.

4. Once you've completed the form, select Submit. Feedback you post is public.

Next steps
Learn how to use the features and functionality of Windows App and configure settings
in the following articles:

Device actions
Display settings
User account settings
Keyboard, mouse, touch, and pen
Device, audio, and folder redirection

Feedback
Was this page helpful?  Yes  No
 Windows App documentation
Windows App is your gateway to Azure Virtual Desktop, Windows 365, Microsoft Dev Box,
Remote Desktop Services, and remote PCs, securely connecting you to Windows devices and
apps on a device of your choice.

OVERVIEW GET STARTED

What is Windows App? Connect to devices and apps

Get started

Learn how to use Windows App About Windows App

ｂ Connect to devices and apps ｈ What's new in Windows App
ｃ Device actions ｐ Compare features across platforms and devices
ｃ Configure display settings
ｃ Manage user accounts
ｃ Use keyboard, mouse, touch, and pen
ｃ Redirect local devices, audio, and folders

Learn more
Discover more articles to help you use Windows App.

Users Admins
ｐ Documentation tailored to end-users. ｐ Comprehensive documentation for admins who
manage Windows App.
Related products and services
Discover some of the services you can connect to with Windows App.

Azure Virtual
Windows 365 Microsoft Dev Box
Desktop
Remote Desktop clients for Azure
Virtual Desktop
Article • 10/16/2024

With the Microsoft Remote Desktop clients, you can connect to Azure Virtual Desktop
and use and control desktops and apps that your admin has made available to you.
There are clients available for many different types of devices on different platforms and
form factors, such as desktops and laptops, tablets, smartphones, and through a web
browser. Using your web browser on desktops and laptops, you can connect without
having to download and install any software.

There are many features you can use to enhance your remote experience, such as:

Multiple monitor support.

Custom display resolutions.
Dynamic display resolutions and scaling.
Device redirection, such as webcams, storage devices, and printers.
Microsoft Teams optimizations.

Some features are only available with certain clients, so it's important to check Compare
the features of the Remote Desktop clients to understand the differences when
connecting to Azure Virtual Desktop.

 Tip

You can use most versions of the Remote Desktop client to connect to Remote
Desktop Services in Windows Server or to a remote PC, as well as to Azure Virtual
Desktop. If you'd prefer to use Remote Desktop Services instead, learn more at
Remote Desktop clients for Remote Desktop Services.

Here's a list of the Remote Desktop client apps and our documentation for connecting
to Azure Virtual Desktop, where you can find download links, what's new, and learn how
to install and use each client.

ﾉ Expand table

Platform Documentation and download links Version

information

Windows Connect to Azure Virtual Desktop with the Remote What's new
Desktop client for Windows
 Platform Documentation and download links Version
information

Web Connect to Azure Virtual Desktop with the Remote What's new
Desktop client for Web

macOS Connect to Azure Virtual Desktop with the Remote What's new
Desktop client for macOS

iOS/iPadOS Connect to Azure Virtual Desktop with the Remote What's new
Desktop client for iOS and iPadOS

Android/Chrome Connect to Azure Virtual Desktop with the Remote What's new
OS Desktop client for Android and Chrome OS

Here's a list of legacy Remote Desktop client apps for Windows. See the below
documentation links for more information.

ﾉ Expand table

Platform Documentation and download links Version

information

Azure Virtual Desktop Store Connect to Azure Virtual Desktop with the What's new
app for Windows Remote Desktop client for Windows

Remote Desktop Store app Connect to Azure Virtual Desktop with the What's new
for Windows Remote Desktop client for Windows

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Get started with the Remote Desktop
app
Article • 10/16/2024

） Important

To ensure a seamless experience, users are encouraged to download Windows App.

Windows App is the gateway to securely connect to any devices or apps across
Azure Virtual Desktop, Windows 365, and Microsoft Dev Box. For more information,
see What is Windows App.

The Microsoft Remote Desktop client is used to connect to Azure Virtual Desktop to
access your desktops and applications. This article shows you how to connect to Azure
Virtual Desktop with the Remote Desktop client.

You can find a list of all the Remote Desktop clients at Remote Desktop clients overview.

Prerequisites
Select a tab for the platform you're using.

Windows

Before you can connect to your devices and apps from Windows, you need:

Internet access.

A device running one of the following supported versions of Windows:

Windows 11
Windows 10
Windows Server 2022
Windows Server 2019
Windows Server 2016

） Important
Support for Windows 7 ended on January 10, 2023.
Support for Windows Server 2012 R2 ended on October 10, 2023.
 .NET Framework 4.6.2 or later. You may need to install this on Windows Server
2016, and some versions of Windows 10. To download the latest version, see
Download .NET Framework .

Download and install the Remote Desktop client using the MSI installer.

Download and install the Remote Desktop client for

Windows (MSI)
Here's how to install the Remote Desktop client for Windows using the MSI
installer. If you want to deploy the Remote Desktop client in an enterprise, you can
use msiexec from the command line to install the MSI file. For more information,
see Enterprise deployment.

1. Download the Remote Desktop client installer, choosing the correct version
for your device:

Windows 64-bit (most common)

Windows 32-bit
Windows ARM64

2. Run the installer by double-clicking the file you downloaded.

3. On the welcome screen, select Next.

4. To accept the end-user license agreement, check the box for I accept the
terms in the License Agreement, then select Next.

5. For the Installation Scope, select one of the following options:

Install just for you: Remote Desktop will be installed in a per-user folder
and be available just for your user account. You don't need local
Administrator privileges.
Install for all users of this machine: Remote Desktop will be installed in a
per-machine folder and be available for all users. You must have local
Administrator privileges

6. Select Install.

7. Once installation has completed, select Finish.

8. If you left the box for Launch Remote Desktop when setup exits selected, the
Remote Desktop client will automatically open. Alternatively to launch the
 client after installation, use the Start menu to search for and select Remote
Desktop.

） Important

If you have the Remote Desktop client (MSI) and the Azure Virtual Desktop app
from the Microsoft Store installed on the same device, you may see the
message that begins A version of this application called Azure Virtual
Desktop was installed from the Microsoft Store. Both apps are supported, and
you have the option to choose Continue anyway, however it could be
confusing to use the same remote resource across both apps. We recommend
using only one version of the app at a time.

Subscribe to a workspace and connect to your

desktops and applications
Select a tab for the platform you're using.

Windows

Subscribe to a workspace
A workspace combines all the desktops and applications that have been made
available to you by your admin. To be able to see these in the Remote Desktop
client, you need to subscribe to the workspace by following these steps:

1. Open the Remote Desktop app on your device.

2. The first time you subscribe to a workspace, from the Let's get started screen,
select Subscribe or Subscribe with URL.

If you selected Subscribe, sign in with your user account when

prompted, for example [email protected] . After a few seconds, your
workspaces should show the desktops and applications that have been
made available to you by your admin.

If you see the message No workspace is associated with this email

address, your admin might not have set up email discovery, or you're
 using an Azure environment that isn't Azure cloud, such as Azure for US
Government. Try the steps to Subscribe with URL instead.

If you selected Subscribe with URL, in the Email or Workspace URL box,
enter the relevant URL from the following table. After a few seconds, the
message We found Workspaces at the following URLs should be
displayed.

ﾉ Expand table

Azure environment Workspace URL

Azure cloud (most https://rdweb.wvd.microsoft.com

common)

Azure for US Government https://rdweb.wvd.azure.us/api/arm/feeddiscovery

Azure operated by https://rdweb.wvd.azure.cn/api/arm/feeddiscovery

21Vianet

3. Select Next.

4. Sign in with your user account when prompted. After a few seconds, the
workspace should show the desktops and applications that have been made
available to you by your admin.

Once you've subscribed to a workspace, its content will update automatically

regularly and each time you start the client. Resources may be added, changed, or
removed based on changes made by your admin.

Connect to your desktops and applications

To connect to your desktops and applications:

1. Open the Remote Desktop client on your device.

2. Double-click one of the icons to launch a session to Azure Virtual Desktop.

You may be prompted to enter the password for your user account again,
depending on how your admin has configured Azure Virtual Desktop.

Insider releases
If you want to help us test new builds before they're released, you should download
our Insider releases. Organizations can use the Insider releases to validate new
 versions for their users before they're generally available. For more information, see
Enable Insider releases.

Next steps
To learn more about the features of the Remote Desktop client for Windows, check
out Use features of the Remote Desktop client for Windows when connecting to
Azure Virtual Desktop.

To learn more about the features of the Remote Desktop client for macOS, check
out Use features of the Remote Desktop client for macOS when connecting to
Azure Virtual Desktop.

To learn more about the features of the Remote Desktop client for iOS and iPadOS,
check out Use features of the Remote Desktop client for iOS and iPadOS when
connecting to Azure Virtual Desktop.

To learn more about the features of the Remote Desktop Web client, check out Use
features of the Remote Desktop Web client when connecting to Azure Virtual
Desktop.

To learn more about the features of the Remote Desktop client for Android and
Chrome OS, check out Use features of the Remote Desktop client for Android and
Chrome OS when connecting to Azure Virtual Desktop.

If you want to use Teams on Azure Virtual Desktop with media optimization, see
Use Microsoft Teams on Azure Virtual Desktop.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Use features of the Remote Desktop
client for Windows when connecting to
Azure Virtual Desktop
Article • 02/22/2024

Once you've connected to Azure Virtual Desktop using the Remote Desktop client, it's
important to know how to use the features. This article shows you how to use the
features available in the Remote Desktop client for Windows. If you want to learn how to
connect to Azure Virtual Desktop, see Connect to Azure Virtual Desktop with the
Remote Desktop client for Windows.

There are three versions of the Remote Desktop client for Windows, which are all
supported for connecting to Azure Virtual Desktop:

Standalone download as an MSI installer. This is the most common version of the
Remote Desktop client for Windows.
Azure Virtual Desktop app from the Microsoft Store. This is a preview version of
the Remote Desktop client for Windows.
Remote Desktop app from the Microsoft Store. This version is no longer being
developed.

 Tip

You can also connect to Azure Virtual Desktop with Windows App, a single app to
securely connect you to Windows devices and apps from Azure Virtual Desktop,
Windows 365, Microsoft Dev Box, Remote Desktop Services, and remote PCs. For
more information, see What is Windows App?

You can find a list of all the Remote Desktop clients at Remote Desktop clients overview.
For more information about the differences between the clients, see Compare the
Remote Desktop clients.

７ Note

Your admin can choose to override some of these settings in Azure Virtual Desktop,
such as being able to copy and paste between your local device and your remote
session. If some of these settings are disabled, please contact your admin.
Refresh or unsubscribe from a workspace or
see its details
Select a tab below for the version of the Remote Desktop client for Windows that you're
using.

To refresh or unsubscribe from a workspace or see its details:

1. Open the Remote Desktop application on your device.

2. Select the three dots to the right-hand side of the name of a workspace where
you'll see a menu with options for Details, Refresh, and Unsubscribe.

Details shows you details about the workspace, such as:

The name of the workspace.
The URL and username used to subscribe.
The number of desktops and apps.
The date and time of the last refresh.
The status of the last refresh.
Refresh makes sure you have the latest desktops and apps and their settings
provided by your admin.
Unsubscribe removes the workspace from the Remote Desktop client.

User accounts
Select a tab below for the version of the Remote Desktop client for Windows that you're
using.

Manage user accounts

You can save a user account and associate it with workspaces to simplify the connection
sequence, as the sign-in credentials will be used automatically. You can also edit a saved
account or remove accounts you no longer want to use.

User accounts are stored and managed in Credential Manager in Windows as a generic
credential.

To save a user account:

1. Open the Remote Desktop app on your device.

2. Double-click one of the icons to launch a session to Azure Virtual Desktop. If

you're prompted to enter the password for your user account again, enter the
 password and check the box Remember me, then select OK.

To edit or remove a saved user account:

1. Open Credential Manager from the Control Panel. You can also open Credential
Manager by searching the Start menu.

2. Select Windows Credentials.

3. Under Generic Credentials, find your saved user account and expand its details. It
will begin with RDPClient.

4. To edit the user account, select Edit. You can update the username and password.
Once you're done, select Save.

5. To remove the user account, select Remove and confirm that you want to delete it.

Display preferences
Select a tab below for the version of the Remote Desktop client for Windows that you're
using.

Display settings for each remote desktop

If you want to use different display settings to those specified by your admin, you can
configure custom settings.

1. Open the Remote Desktop application on your device.

2. Right-click the name of a desktop connection, for example SessionDesktop, then

select Settings.

3. Toggle Use default settings to off.

4. On the Display tab, you can select from the following options:

ﾉ Expand table

Display Description
configuration

All displays Automatically use all displays for the desktop. If you have multiple
displays, all of them will be used.
 Display Description
configuration

For information on limits, see Compare the features of the Remote

Desktop clients.

Single display Only a single display will be used for the remote desktop.

Select displays Only select displays will be used for the remote desktop.

Each display configuration in the table above has its own settings. Use the
following table to understand each setting:

ﾉ Expand table

Setting Display Description

configurations

Single display All displays Only use a single display when running in windows
when in Select displays mode, rather than full screen.
windowed
mode

Start in full Single display The desktop will be displayed full screen.
screen

Fit session to All displays When you resize the window, the scaling of the desktop
window Single display will automatically adjust to fit the new window size. The
Select displays resolution will stay the same.

Update the Single display When you resize the window, the resolution of the
resolution on desktop will automatically change to match.
resize
If this is disabled, a new option for Resolution is
displayed where you can select from a pre-defined list
of resolutions.

Choose which Select displays Select which displays you want to use. All selected
display to use displays must be next to each other.
for this
session

Maximize to Select displays The remote desktop will show full screen on the current
current display(s) the window is on, even if this isn't the display
displays selected in the settings. If this is off, the remote desktop
will show full screen the same display(s) regardless of
the current display the window is on. If your window
overlaps multiple displays, those displays will be used
when maximizing the remote desktop.
Input methods
You can use touch input, or a built-in or external PC keyboard, trackpad and mouse to
control desktops or apps. Select a tab below for the version of the Remote Desktop
client for Windows that you're using.

Use touch gestures and mouse modes in a remote session

You can use touch gestures to replicate mouse actions in your remote session. If you
connect to Windows 10 or later with Azure Virtual Desktop, native Windows touch and
multi-touch gestures are supported.

The following table shows which mouse operations map to which gestures:

ﾉ Expand table

Mouse operation Gesture

Left-click Tap with one finger

Right-click Tap and hold with one finger

Left-click and drag Double-tap and hold with one finger, then drag

Right-click Tap with two fingers

Right-click and drag Double-tap and hold with two fingers, then drag

Mouse wheel Tap and hold with two fingers, then drag up or down

Zoom With two fingers, pinch to zoom out and move fingers apart to zoom in

Keyboard
There are several keyboard shortcuts you can use to help use some of the features.
Some of these are for controlling how the Remote Desktop client displays the session.
These are:

ﾉ Expand table

Key combination Description

CTRL + ALT + Activates the connection bar when in full-screen mode and the connection
HOME bar isn't pinned.
 Key combination Description

CTRL + ALT + Switches the client between full-screen mode and window mode.
PAUSE

Most common Windows keyboard shortcuts, such as CTRL + C for copy and CTRL + Z

for undo, are the same when using Azure Virtual Desktop. When you're using a remote
desktop or app in windowed mode, there are some keyboard shortcuts that are different
so Windows knows when to use them in Azure Virtual Desktop or on your local device.
These are:

ﾉ Expand table

Windows Azure Virtual Description

shortcut Desktop shortcut

CTRL + ALT + CTRL + ALT + END Shows the Windows Security dialog box. Also
DELETE applicable in fullscreen mode.

ALT + TAB ALT + PAGE UP Switches between programs from left to right.

ALT + SHIFT + ALT + PAGE DOWN Switches between programs from right to left.
TAB

WINDOWS key, ALT + HOME Shows the Start menu.

or
CTRL + ESC

ALT + ALT + DELETE Shows the system menu.

SPACE BAR

PRINT SCREEN CTRL + ALT + + Takes a snapshot of the entire remote session, and
(plus sign) places it in the clipboard.

ALT + CTRL + ALT + - Takes a snapshot of the active window in the remote
PRINT SCREEN (minus sign) session, and places it in the clipboard.

７ Note

Keyboard shortcuts will not work when using remote desktop or RemoteApp
sessions that are nested.

Keyboard language
By default, remote desktops and apps will use the same keyboard language, also known
as locale, as your Windows PC. For example, if your Windows PC uses en-GB for English
(United Kingdom), that will also be used by Windows in the remote session.

You can manually set which keyboard language to use in the remote session by
following the steps at Managing display language settings in Windows . You might
need to close and restart the application you're currently using for the keyboard
changes to take effect.

Redirections
Select a tab below for the version of the Remote Desktop client for Windows that you're
using.

Folder redirection
The Remote Desktop client can make local folders available in your remote session. This
is known as folder redirection. This means you can open files from and save files to your
Windows PC with your remote session. Redirected folders appear as a network drive in
Windows Explorer.

Folder redirection can't be configured using the Remote Desktop client for Windows.
This behavior is configured by your admin in Azure Virtual Desktop. By default, all local
drives are redirected to a remote session.

Redirect devices, audio, and clipboard

The Remote Desktop client can make your local clipboard and local devices available in
your remote session where you can copy and paste text, images, and files. The audio
from the remote session can also be redirected to your local device. However,
redirection can't be configured using the Remote Desktop client for Windows. This
behavior is configured by your admin in Azure Virtual Desktop. Here's a list of some of
the devices and resources that can be redirected. For the full list, see Compare the
features of the Remote Desktop clients when connecting to Azure Virtual Desktop.

Printers
USB devices
Audio output
Smart cards
Clipboard
Microphones
 Cameras

App display modes

Select a tab below for the version of the Remote Desktop client for Windows that you're
using.

You can configure the Remote Desktop client to be displayed in light or dark mode, or
match the mode of your system:

1. Open the Remote Desktop application on your device.

2. Select Settings.

3. Under App mode, select Light, Dark, or Use System Mode. The change is applied
instantly.

Views
You can view your remote desktops and apps as either a tile view (default) or list view:

1. Open the Remote Desktop application on your device.

2. If you want to switch to List view, select Tile, then select List view.

3. If you want to switch to Tile view, select List, then select Tile view.

Update the client

Select a tab below for the version of the Remote Desktop client for Windows that you're
using.

By default, you'll be notified whenever a new version of the client is available as long as
your admin hasn't disabled notifications. The notification will appear in the client and
the Windows Action Center. To update your client, just select the notification.

You can also manually search for new updates for the client:

1. Open the Remote Desktop application on your device.

2. Select the three dots at the top right-hand corner to show the menu, then select
About. The client will automatically search for updates.
 3. If there's an update available, tap Install update to update the client. If the client is
already up to date, you'll see a green check box, and the message You're up to
date.

 Tip

Admins can control notifications about updates and when updates are installed. For
more information, see Update behavior.

Enable Insider releases

Select a tab below for the version of the Remote Desktop client for Windows that you're
using.

If you want to help us test new builds of the Remote Desktop client for Windows before
they're released, you should download our Insider releases. Organizations can use the
Insider releases to validate new versions for their users before they're generally
available.

７ Note

Insider releases shouldn't be used in production.

Insider releases are made available in the Remote Desktop client once you've configured
the client to use Insider releases. To configure the client to use Insider releases:

1. Add the following registry key and value:

Key: HKLM\Software\Microsoft\MSRDC\Policies
Type: REG_SZ
Name: ReleaseRing
Data: insider

You can do this with PowerShell. On your local device, open PowerShell as an
administrator and run the following commands:

PowerShell

New-Item -Path "HKLM:\SOFTWARE\Microsoft\MSRDC\Policies" -Force

New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\MSRDC\Policies" -Name
ReleaseRing -PropertyType String -Value insider -Force
 2. Restart your local device.

3. Open the Remote Desktop client. The title in the top left-hand corner should be
Remote Desktop (Insider):

If you already have configured the Remote Desktop client to use Insider releases, you
can check for updates to ensure you have the latest Insider release by checking for
updates in the normal way. For more information, see Update the client.

Admin management

Enterprise deployment
To deploy the Remote Desktop client in an enterprise, you can use msiexec from a
command line to install the MSI file. You can install the client per-device or per-user by
running the relevant command from Command Prompt as an administrator:

Per-device installation:

Windows Command Prompt

msiexec /i <path to the MSI> /qn ALLUSERS=1

Per-user installation:

Windows Command Prompt

 msiexec /i <path to the MSI> /qn ALLUSERS=2 MSIINSTALLPERUSER=1

） Important

If you want to deploy the Remote Desktop client per-user with Intune or
Configuration Manager, you'll need to use a script. For more information, see
Install the Remote Desktop client for Windows on a per-user basis with Intune or
Configuration Manager.

Update behavior
You can control notifications about updates and when updates are installed. The update
behavior of the client depends on two factors:

Whether the app is installed for only the current user or for all users on the
machine

The value of the following registry key:

Key: HKLM\Software\Microsoft\MSRDC\Policies
Type: REG_DWORD
Name: AutomaticUpdates

The Remote Desktop client offers three ways to update:

Notification-based updates, where the client shows the user a notification in the
client UI or a pop-up message in the taskbar. The user can choose to update the
client by selecting the notification.

Silent on-close updates, where the client automatically updates after the user has
closed the Remote Desktop client.

Silent background updates, where a background process checks for updates a few
times a day and will update the client if a new update is available.

To avoid interrupting users, silent updates won't happen while users have the client
open, have a remote connection active, or if you've disabled automatic updates. If the
client is running while a silent background update occurs, the client will show a
notification to let users know an update is available.

You can set the AutomaticUpdates registry key to one of the following values:
 ﾉ Expand table

Value Update behavior (per user Update behavior (per machine installation)
installation)

0 Disable notifications and turn off Disable notifications and turn off auto-update.
auto-update.

1 Notification-based updates. Notification-based updates.

2 Notification-based updates when Notification-based updates. No support for

(default) the app is running. Otherwise, silent silent update mechanisms, as users may not
on-close and background updates. have administrator access rights on the client
device.

URI to subscribe to a workspace

The Remote Desktop client for Windows supports the ms-rd and ms-avd (preview)
Uniform Resource Identifier (URI) schemes. This enables you to invoke the Remote
Desktop client with specific commands, parameters, and values for use with Azure
Virtual Desktop. For example, you can subscribe to a workspace or connect to a
particular desktop or RemoteApp.

For more information and the available commands, see Uniform Resource Identifier
schemes with the Remote Desktop client for Azure Virtual Desktop

Provide feedback
If you want to provide feedback to us on the Remote Desktop client for Windows, you
can do so by selecting the button that looks like a smiley face emoji in the client app, as
shown in the following image. This will open the Feedback Hub.

To best help you, we need you to give us as detailed information as possible. Along with
a detailed description, you can include screenshots, attach a file, or make a recording.
For more tips about how to provide helpful feedback, see Feedback.

Next steps
If you're having trouble with the Remote Desktop client, see Troubleshoot the Remote
Desktop client.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Use features of the Remote Desktop
Web client when connecting to Azure
Virtual Desktop
Article • 02/07/2024

Autoscale support for Azure Local with Azure Virtual Desktop is currently in PREVIEW.
See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that
apply to Azure features that are in beta, preview, or otherwise not yet released into
general availability.

Once you've connected to Azure Virtual Desktop using the Remote Desktop client, it's
important to know how to use the features. This article shows you how to use the
features available in the Remote Desktop Web client. If you want to learn how to
connect to Azure Virtual Desktop, see Connect to Azure Virtual Desktop with the
Remote Desktop Web client.

You can find a list of all the Remote Desktop clients at Remote Desktop clients overview.
For more information about the differences between the clients, see Compare the
Remote Desktop clients.

７ Note

Your admin can choose to override some of these settings in Azure Virtual
Desktop, such as being able to copy and paste between your local device and
your remote session. If some of these settings are disabled, please contact
your admin.
Users can now only see the new client version of the Azure Virtual Desktop
Web client user experience.

Display preferences
A remote desktop will automatically fit the size of the browser window. If you resize the
browser window, the remote desktop will resize with it. You can also enter fullscreen by
selecting fullscreen (the diagonal arrows icon) on the taskbar.

If you use a high-DPI display, the Remote Desktop Web client supports using native
display resolution during remote sessions. In sessions running on a high-DPI display,
native resolution can provide higher-fidelity graphics and improved text clarity.
 ７ Note

Enabling native display resolution with a high-DPI display may cause increased CPU
or network usage.

Native resolution is set to off by default. To turn on native resolution:

1. Sign in to the Remote Desktop Web client, then select Settings on the taskbar.

2. Set Enable native display resolution to On.

Grid view and list view

You can change the view of remote resources assigned to you between grid view
(default) and list view. To change between grid view and list view:

1. Sign in to the Remote Desktop Web client and select Settings on the taskbar.

2. In the top-right hand corner, select the Grid View icon or the List View icon. The
change will take effect immediately.

Light mode and dark mode

You can change between light mode (default) and dark mode. To change between light
mode and dark mode:

1. Sign in to the Remote Desktop Web client and select Settings on the taskbar.

2. Toggle Dark Mode to On to use dark mode, or Off to use light mode. The change
will take effect immediately.

Input methods
You can use a built-in or external PC keyboard, trackpad and mouse to control desktops
or apps.

Keyboard
There are several keyboard shortcuts you can use to help use some of the features. Most
common Windows keyboard shortcuts, such as CTRL + C for copy and CTRL + Z for
undo, are the same when using Azure Virtual Desktop. There are some keyboard
shortcuts that are different so Windows knows when to use them in Azure Virtual
Desktop or on your local device. These are:

ﾉ Expand table

Windows Azure Virtual Desktop shortcut Description

shortcut

CTRL + ALT + CTRL + ALT + END (Windows) Shows the Windows Security dialog
DELETE box.
FN + Control + Option + Delete
(macOS)

Windows ALT + F3 Sends the Windows key to the remote

session.

ALT + TAB ALT + PAGE UP Switches between programs from left

to right.

ALT + SHIFT + ALT + PAGE DOWN Switches between programs from

TAB right to left.

７ Note

You can copy and paste text only. Files can't be copied or pasted to and from
the web client. Additionally, you can only use CTRL + C and CTRL + V to copy
and paste text.

When you're connected to a desktop or app, you can access the resources
toolbar at the top of window by using CTRL + ALT + HOME on Windows, or FN +
Control + Option + Home on macOS.

Input Method Editor

The web client supports Input Method Editor (IME) in the remote session. Before you
can use the IME in a remote session, the language pack for the keyboard you want to
use must be installed on your session host by your admin. To learn more about setting
up language packs in the remote session, see Add language packs to a Windows 10
multi-session image.

To enable IME input using the web client:

1. Sign in to the Remote Desktop Web client, then select Settings on the taskbar.
 2. Set Enable Input Method Editor to On.

3. In the drop-down menu, select the keyboard you want to use in a remote session.

4. Connect to a remote session.

The web client will suppress the local IME window when you're focused on the remote
session. If you change the IME settings after you've already connected to the remote
session, the setting changes won't have any effect.

７ Note

The web client doesn't support IME input while using a private browsing window.

If the language pack isn't installed on the session host, the keyboard in the remote
session will default to English (United States).

Redirections
You can allow the remote computer to access to files, printers, and the clipboard on
your local device. When you connect to a remote session, you'll be prompted whether
you want to allow access to local resources.

Transfer files
To transfer files between your local device and your remote session:

1. Sign in to the Remote Desktop Web client and launch a remote session.

2. For the prompt Access local resources, check the box for File transfer, then select
Allow.

3. Once you're remote session has started, open File Explorer, then select This PC.

4. You'll see a redirected drive called Remote Desktop Virtual Drive on

RDWebClient. Inside this drive are two folders: Uploads and Downloads

Downloads prompts your local browser to download any files you copy to
this folder.
Uploads contains the files you uploaded through the Remote Desktop Web
client.
 5. To download from your remote session to your local device, copy and paste files to
the Downloads folder. Before the paste can complete, the Remote Desktop Web
client will prompt you Are you sure you want to download N file(s)?. Select
Confirm. Your browser will download the files in its normal way.

If you don't want to see this prompt every time you download files from the
current browser, check the box for Don’t ask me again on this browser before
confirming.

6. To upload files from your local device to your remote session, use the button in the
Remote Desktop Web client taskbar for Upload new file (the upwards arrow icon).
Selecting this will open a file explorer window on your local device.

Browse to and select files you want to upload to the remote session. You can select
multiple files by holding down the CTRL key on your keyboard for Windows, or the
Command key for macOS, then select Open. There is a file size limit of 255MB.

） Important

We recommend using Copy rather than Cut when transferring files from your
remote session to your local device as an issue with the network connection
can cause the files to be lost.

Uploaded files are available in a remote session until you sign out of the
Remote Desktop Web client.

Don't download files directly from your browser in a remote session to the
Remote Desktop Virtual Drive on RDWebClient\Downloads folder as it
triggers your local browser to download the file before it is ready. Download
files in a remote session to a different folder, then copy and paste them to the
Remote Desktop Virtual Drive on RDWebClient\Downloads folder.

Clipboard
To use the clipboard between your local device and your remote session:

1. Sign in to the Remote Desktop Web client and launch a remote session.

2. For the prompt Access local resources, check the box for Clipboard, then select
Allow.
 The Remote Desktop Web client supports copying and pasting text only. Files can't
be copied or pasted to and from the web client. To transfer files, see Transfer files.

Printer
You can enable the Remote Desktop Virtual Printer in your remote session. When you
print to this printer, a PDF file of your print job will be generated for you to download
and print on your local device. To enable the Remote Desktop Virtual Printer:

1. Sign in to the Remote Desktop Web client and launch a remote session.

2. For the prompt Access local resources, check the box for Printer, then select
Allow.

3. Start the printing process as you would normally for the app you want to print
from.

4. When prompted to choose a printer, select Remote Desktop Virtual Printer.

5. If you wish, you can set the orientation and paper size. When you're ready, select
Print. A PDF file of your print job will be generated and your browser will
download the files in its normal way. You can choose to either open the PDF and
print its contents to your local printer or save it to your PC for later use.

Launch remote session with another Remote

Desktop client
If you have another Remote Desktop client installed, you can download an RDP file
instead of using the browser window for a remote session. To configure the Remote
Desktop Web client to download RDP files:

1. Sign in to the Remote Desktop Web client, then select Settings on the taskbar.

2. For Resources Launch Method, select Download the RDP file.

3. Select the resource you want to open (for example, Excel). Your browser will
download the RDP in its normal way.

4. Open the downloaded RDP file in your Remote Desktop client to launch a remote
session.

Reset user settings

If you want to reset your user settings back to the default, you can do this in the web
client for the current browser. To reset user settings:

1. Sign in to the Remote Desktop Web client and select Settings on the taskbar.

2. Select Reset user settings. You'll need to confirm that you want reset the web
client settings to default.

Provide feedback
If you want to provide feedback to us on the Remote Desktop Web client, you can do so
in the Web client:

1. Sign in to the Remote Desktop Web client, then select the three dots (...) on the
taskbar to show the menu.

2. Select Feedback to open the Azure Virtual Desktop Feedback page.

Next steps
If you're having trouble with the Remote Desktop client, see Troubleshoot the Remote
Desktop client.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Use features of the Remote Desktop
client for macOS when connecting to
Azure Virtual Desktop
Article • 11/21/2022

Once you've connected to Azure Virtual Desktop using the Remote Desktop client, it's
important to know how to use the features. This article shows you how to use the
features available in the Remote Desktop client for macOS. If you want to learn how to
connect to Azure Virtual Desktop, see Connect to Azure Virtual Desktop with the
Remote Desktop client for macOS.

You can find a list of all the Remote Desktop clients at Remote Desktop clients overview.
For more information about the differences between the clients, see Compare the
Remote Desktop clients.

７ Note

Some of the settings in this article can be overridden by your admin, such as being
able to copy and paste between your local device and your remote session. If some
of these settings are disabled, please contact your admin.

Edit, refresh, or delete a workspace

To edit, refresh or delete a workspace:

1. Open the Microsoft Remote Desktop application on your device, then select
Workspaces.

2. Right-click the name of a workspace or hover your mouse cursor over it and you'll
see a menu with options for Edit, Refresh, and Delete.

Edit allows you to specify a user account to use each time you connect to the
workspace without having to enter the account each time. To learn more, see
Manage user accounts.
Refresh makes sure you have the latest desktops and apps and their settings
provided by your admin.
Delete removes the workspace from the Remote Desktop client.
User accounts

Add user credentials to a workspace

You can save a user account and associate it with workspaces to simplify the connection
sequence, as the sign-in credentials will be used automatically.

1. Open the Microsoft Remote Desktop application on your device, then select
Workspaces.

2. Right-click the name of a workspace, then select Edit.

3. For User account, select Add User Account... to add a new account, or select an
account you've previously added.

4. If you selected Add User Account..., enter a username, password, and optionally a
friendly name, then select Add.

5. Select Save.

Manage user accounts

You can save a user account and associate it with workspaces to simplify the connection
sequence, as the sign-in credentials will be used automatically. You can also remove
accounts you no longer want to use.

To save a user account:

1. Open the Microsoft Remote Desktop application on your device.

2. From the macOS menu bar, select Microsoft Remote Desktop, then select
Preferences.

3. Select the User Accounts tab, then the + (plus) icon.

4. Enter a username, password, and optionally a friendly name, then select Add. You
can then add this account to a workspace by following the steps in Add user
credentials to a workspace.

5. Close Preferences.

To remove an account you no longer want to use:

1. Open the Microsoft Remote Desktop application on your device.

 2. From the macOS menu bar, select Microsoft Remote Desktop, then select
Preferences.

3. Select the User Accounts tab, then select the account you want to remove.

4. Select the - (minus) icon, then confirm you want to delete the user account.

5. Close Preferences.

Display preferences

Add, remove, or restore display resolutions

To add, remove or restore display resolutions:

1. Open the Microsoft Remote Desktop application on your device.

2. From the macOS menu bar, select Microsoft Remote Desktop, then select
Preferences.

3. Select the Resolutions tab.

4. To add a custom resolution, select the + (plus) icon and enter in the width and
height in pixels, then select Add.

5. To remove a resolution, select the resolution you want to remove, then select the -
(minus) icon. Confirm you want to delete the resolution by selecting Delete.

6. To restore default resolutions, select Restore Defaults.

Display settings for each remote desktop

If you want to use different display settings to those specified by your admin, you can
configure custom settings.

1. Open the Microsoft Remote Desktop application on your device, then select
Workspaces.

2. Right-click the name of a desktop, for example SessionDesktop, then select Edit.

3. Check the box for Use custom settings.

4. On the Display tab, you can select from the following options:
 ﾉ Expand table

Option Description

Resolution Select the resolution to use for the desktop. You can select from a
predefined list, or add custom resolutions.

Use all monitors Automatically use all monitors for the desktop. If you have multiple
monitors, all of them will be used.

For information on limits, see Compare the features of the Remote

Desktop clients.

Start session in full The desktop will be displayed full screen, rather than windowed.
screen

Fit session to window When you resize the window, the scaling of the desktop will
automatically adjust to fit the new window size. The resolution will stay
the same.

Color quality The quality and number of colors used. Higher quality will use more
bandwidth.

Optimize for Retina Scale the desktop to match the scaling used on the Mac client. This will
displays use four times more bandwidth.

Update the session When you resize the window, the resolution of the desktop will
resolution on resize automatically change to match.

Displays have separate spaces

macOS allows you to create extra desktops, called Spaces, where only the Windows that
are in that space are visible. This is set in macOS System Preferences > Mission Control
> Displays have separate Spaces. If this is disabled, macOS will use the same desktop
across all monitors.

When separate Spaces are disabled, if the Remote Desktop client has Start session in
full screen enabled, but Use all monitors disabled, only one monitor will be used and
the others will be blank. Either enable Use all monitors so the remote desktop is
displayed on all monitors, or enable Displays have separate spaces in Mission Control
so that the remote desktop will be displayed full screen on one monitor, but others will
show the macOS desktop.

Sidecar
You can use Apple Sidecar during a remote session, allowing you to extend a Mac
desktop display using an iPad as an extra monitor.

Input methods
You can use a built-in or external Mac keyboard, trackpad and mouse to control
desktops or apps.

Keyboard
Mac and Windows keyboard layouts differ slightly - for example, the Command key on a
Mac keyboard equals the Windows key on a Windows keyboard. To help with the
differences this makes when using keyboard shortcuts, the Remote Desktop client
automatically maps common shortcuts found in macOS so they'll work in Windows.
These are:

ﾉ Expand table

Key combination Function

CMD + C Copy

CMD + X Cut

CMD + V Paste

CMD + A Select all

CMD + Z Undo

CMD + F Find

In addition, the Alt key to the right of the space bar on a Mac keyboard equals the
Alt Gr in Windows.

Keyboard language
By default, remote desktops and apps will use the same keyboard language, also known
as locale, as your Mac. For example, if your Mac uses en-GB for English (United
Kingdom), that will also be used by Windows in the remote session.

There are some Mac-specific layouts or custom layouts for which an exact match may
not be available on the version of Windows you're connecting to. Your Mac keyboard
will be matched to the best available on the remote session.
If your keyboard layout is set to a variation of a language, such as Canadian-French, and
if the remote session can't map you to that exact variation, it will map the closest
available language instead. For example, if you chose the Canadian-French locale and it
wasn't available, the closest language would be French. However, some of the Mac
keyboard shortcuts you're used to using on your Mac may not work as expected in the
remote session.

There are some scenarios where characters in the remote session don't match the
characters you typed on the Mac keyboard:

Using a keyboard that the remote session doesn't recognize. When Azure Virtual
Desktop doesn't recognize the keyboard, it defaults to the language last used with
the remote PC.
Connecting to a previously disconnected session from Azure Virtual Desktop where
that session uses a different keyboard language than the language you're currently
trying to use.
Needing to switch keyboard modes between unicode and scancode. To learn
more, see Keyboard modes.

You can manually set which keyboard language to use in the remote session by
following the steps at Managing display language settings in Windows . You might
need to close and restart the application you're currently using for the keyboard
changes to take effect.

Keyboard modes
There are two different modes you can use that control how keyboard input is
interpreted in a remote session: Scancode and Unicode.

With Scancode, user input is redirected by sending key press up and down information
to the remote session. Each key is identified by its physical position on the keyboard and
uses the keyboard layout of the remote session, not the keyboard of the local device.
For example, scancode 31 is the key next to Caps Lock . On a US keyboard this key would
produce the character "A", while on a French keyboard this key would produce the
character "Q".

With Unicode, user input is redirected by sending each character to the remote session.
When a key is pressed, the locale of the user is used to translate this input to a
character. This can be as simple as the character "a" by simply pressing the "a" key, but
it can enable an Input Method Editor (IME), allowing you to input multiple keystrokes to
create more complex characters, such as for Chinese and Japanese input sources. Below
are some examples of when to use each mode.
When to use Scancode:

Dealing with characters that aren't printable, such as Arrow Up or shortcut

combinations.

Certain applications that don't accept Unicode input for characters such as: Hyper-
V VMConnect (for example, no way to input a BitLocker password), VMware
Remote Console, all applications written using the Qt framework (for example R
Studio, TortoiseHg, QtCreator).

Applications that utilize scancode input for actions, such as Space bar to
check/uncheck a checkbox, or individual keys as shortcuts, for example
applications in browser.

When to use Unicode:

To avoid a mismatch in expectations. A user who expects the keyboard to behave

like a Mac keyboard and not like a PC keyboard can run into issues where Mac and
PC have differences for the same locale/region layout.

When the keyboard layout used on the client might not be available on the server.

To switch between keyboard modes:

1. Open the Microsoft Remote Desktop application on your device.

2. From the macOS menu bar, select Connections, then select Keyboard Mode.

3. Choose Scancode or Unicode.

Alternatively, you can use the following keyboard shortcut to select each mode:

Scancode: Ctrl + Command + K

Unicode: Ctrl + Command + U

Input Method Editor

The Remote Desktop client supports Input Method Editor (IME) in a remote session for
input sources. The local macOS IME experience will be accessible in the remote session.

） Important

For an IME to work, the input mode needs to be in Unicode Mode. To learn more,
see Keyboard modes.
Mouse and trackpad
You can use a mouse or trackpad with the Remote Desktop client. In order to use the
right-click or secondary-click, you may need to configure macOS to enable right-click, or
you can plug in a standard PC two-button USB mouse. To enable right-click in macOS:

1. Open System Preferences.

2. For the Apple Magic Mouse, select Mouse, then check the box for Secondary click.

3. For the Apple Magic Trackpad of MacBook Trackpad, select Trackpad, then check
the box for Secondary click.

Redirections

Folder redirection
The Remote Desktop client enables you to make local folders available in your remote
session. This is known as folder redirection. This means you can open files from and save
files to your Mac with your remote session. Folders can also be redirected as read-only.
Redirected folders appear in the remote session as a network drive in Windows Explorer.

All remote sessions

To enable folder redirection for all remote desktops:

1. Open the Microsoft Remote Desktop application on your device.

2. From the macOS menu bar, select Microsoft Remote Desktop, then select
Preferences.

3. Select the General tab, then for If folder redirection is enabled for RDP files or
managed resources, redirect:, select Choose Folder....

4. Navigate to the folder you want to be available in all your remote desktop
sessions, then select Choose.

5. Close the Preferences window. Optionally, if you want to make this folder available
as read-only, check the box before closing the window.

Each remote resource

To enable folder redirection for each remote desktop individually:

If you want to use different display settings to those specified by your admin for the
workspace, you can configure custom settings.

1. Open the Microsoft Remote Desktop application on your device, then select
Workspaces.

2. Right-click the name of a desktop, for example SessionDesktop, then select Edit.

3. Check the box for Use custom settings.

4. On the Folders tab, check the box Redirect folders, then select the + (plus) icon.

5. Navigate to the folder you want to be available when accessing this remote
resource, then select Open. You can add multiple folders by repeating the previous
step and this step.

6. Select Save. Optionally, if you want to make this folder available as read-only,
check the box, then select Save.

Redirect devices, audio, and clipboard

The Remote Desktop client can make your local clipboard and local devices available in
your remote desktop where you can copy and paste text, images, and files. You can also
redirect the audio from the remote desktop to your local device. You can redirect:

Printers
Smart cards
Clipboard
Microphones
Cameras

To enable redirection of devices, audio and the clipboard:

1. Open the Microsoft Remote Desktop application on your device, then select
Workspaces.

2. Right-click the name of a desktop, for example SessionDesktop, then select Edit.

3. Check the box for Use custom settings.

4. On the Devices & Audio tab, check the box for each device you want to use in the
remote desktop.

5. Select whether you want to play sound On this computer, On the remote PC, or
Never.
 6. Select Save.

Microsoft Teams optimizations

You can use Microsoft Teams on Azure Virtual Desktop to chat, collaborate, make calls,
and join meetings. With media optimization, the Remote Desktop client handles audio
and video locally for Teams calls and meetings. For more information, see Use Microsoft
Teams on Azure Virtual Desktop.

Starting with version 10.7.7 of the Remote Desktop client for macOS, optimizations for
Teams is enabled by default. If you need to enable optimizations for Microsoft Teams:

1. Open the Microsoft Remote Desktop application on your device.

2. From the macOS menu bar, select Microsoft Remote Desktop, then select
Preferences.

3. Select the General tab, then check the box Enable optimizations for Microsoft
Teams.

General app settings

To set other general settings of the Remote Desktop app to use with Azure Virtual
Desktop:

1. Open the Microsoft Remote Desktop application on your device.

2. From the macOS menu bar, select Microsoft Remote Desktop, then select
Preferences.

3. Select the General tab. You can change the following settings:

ﾉ Expand table

Setting Value Description

Show PC thumbnails Check On or Off Show thumbnails of remote sessions.

Help improve Remote Check On or Off Send anonymous data to Microsoft.

Desktop

Use Mac shortcuts for Check On or Off Use these shortcuts in remote sessions.
copy, cut, paste and
select all, undo, and find
 Setting Value Description

Use system proxy Check On or Off Use the proxy specified in macOS network
configuration settings.

Graphics interpolation Select from As the interpolation level is increased,

level Automatic, None, most text and graphics appear smoother,
Low, Medium, or but rendering performance will decrease
High (if hardware acceleration is disabled).

Use hardware Check On or Off Use graphics hardware to render graphics.

acceleration when
possible

Admin link to subscribe to a workspace

The Remote Desktop client for macOS supports the ms-rd Uniform Resource Identifier
(URI) scheme. This enables you to use a link that users can help to automatically
subscribe to a workspace, rather than them having to manually add the workspace in
the Remote Desktop client.

To subscribe to a workspace with a link:

1. Open the following link in a web browser: ms-rd:subscribe?

url=https://rdweb.wvd.microsoft.com .

2. If you see the prompt This site is trying to open Microsoft Remote Desktop.app,
select Open. The Microsoft Remote Desktop application should open and
automatically show a sign-in prompt.

3. Enter your user account, then select Sign in. After a few seconds, your workspaces
should show the desktops and applications that have been made available to you
by your admin.

Test the beta client

If you want to help us test new builds before they're released, you should download our
beta client. Organizations can use the beta client to validate new versions for their users
before they're generally available.

７ Note

The beta client shouldn't be used in production.

You can download the beta client for macOS from our preview channel on AppCenter .
You don't need to create an account or sign into AppCenter to download the beta client.

If you already have the beta client, you can check for updates to ensure you have the
latest version by following these steps:

1. Open the Microsoft Remote Desktop application on your device.

2. From the macOS menu bar, select Microsoft Remote Desktop, then select Check
for updates.

Provide feedback
If you want to provide feedback to us on the Remote Desktop client for macOS, you can
do so in the app:

1. Open the Microsoft Remote Desktop application on your device.

2. From the macOS menu bar, select Help, then select Submit Feedback.

Next steps
If you're having trouble with the Remote Desktop client, see Troubleshoot the Remote
Desktop client.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Use features of the Remote Desktop
client for iOS and iPadOS when
connecting to Azure Virtual Desktop
Article • 12/05/2022

Once you've connected to Azure Virtual Desktop using the Remote Desktop client, it's
important to know how to use the features. This article shows you how to use the
features available in the Remote Desktop client for iOS and iPadOS. If you want to learn
how to connect to Azure Virtual Desktop, see Connect to Azure Virtual Desktop with the
Remote Desktop client for iOS and iPadOS.

You can find a list of all the Remote Desktop clients at Remote Desktop clients overview.
For more information about the differences between the clients, see Compare the
Remote Desktop clients.

７ Note

Your admin can choose to override some of these settings in Azure Virtual Desktop,
such as being able to copy and paste between your local device and your remote
session. If some of these settings are disabled, please contact your admin.

Edit, refresh, or delete a workspace

To edit, refresh or delete a workspace:

1. Open the RD Client application on your device, then tap Workspaces.

2. Tap and hold the name of a workspace and you'll see a menu with options for Edit,
Refresh, and Delete. You can also pull down to refresh all workspaces.

Edit allows you to specify a user account to use each time you connect to the
workspace without having to enter the account each time. To learn more, see
Manage user accounts.
Refresh makes sure you have the latest desktops and apps and their settings
provided by your admin.
Delete removes the workspace from the Remote Desktop client.

User accounts
Learn how to add user credentials to a workspace and manage them.

Add user credentials to a workspace

You can save a user account and associate it with workspaces to simplify the connection
sequence, as the sign-in credentials will be used automatically.

1. Open the RD Client application on your device, then tap Workspaces.

2. Tap and hold the name of a workspace, then select Edit.

3. Tap User account, then select Add User Account to add a new account, or select
an account you've previously added.

4. If you selected Add User Account, enter a username, password, and optionally a
friendly name, then tap the back arrow (<).

5. Tap the X mark to return to Workspaces.

Manage user accounts

You can save a user account and associate it with workspaces to simplify the connection
sequence, as the sign-in credentials will be used automatically. You can also remove
accounts you no longer want to use.

To save a user account:

1. Open the RD Client application on your device.

2. In the top left-hand corner, tap the menu icon (the circle with three dots inside),
then tap Settings.

3. Tap User Accounts, then tap Add User Account.

4. Enter a username, password, and optionally a friendly name, then tap the back
arrow (<). You can then add this account to a workspace by following the steps in
Add user credentials to a workspace.

5. Tap the back arrow (<), then tap the X mark.

To remove an account you no longer want to use:

1. Open the RD Client application on your device.

2. In the top left-hand corner, tap the menu icon (the circle with three dots inside),
then tap Settings.
 3. Tap User Accounts, then select the account you want to remove.

4. Tap Delete. The account will be removed immediately.

5. Tap the back arrow (<), then tap the X mark.

Display preferences
Learn how to set display preferences, such as orientation and resolution.

Set orientation
You can set the orientation of the Remote Desktop client to landscape, portrait, or auto-
adjust, where it will match the orientation of your device. Auto-adjust is supported when
your remote session is running Windows 10 or later. The window will maintain the same
scaling and update the resolution to match the new orientation. This setting applies to
all workspaces.

To set the orientation:

1. Open the RD Client application on your device.

2. In the top left-hand corner, tap the menu icon (the circle with three dots inside),
then tap Settings.

3. Tap Display, then tap Orientation.

4. Tap your preference from Auto-adjust, Lock to Landscape or Lock to Portrait.

5. You can also set Use Home Indicator Area. Toggling this on will show graphics
from the remote session in the area at the bottom of the screen occupied by the
Home indicator. This setting only applies in landscape orientation.

6. Tap the back arrow (<), then tap the X mark.

Set display resolution

You can choose the resolution for your remote session from a predefined list. This
setting applies to all workspaces.

７ Note
 Changes to the display resolution only take effect for new connections. For current
connections, you'll need to disconnect and reconnect from a remote session

To set the resolution:

1. Open the RD Client application on your device.

2. In the top left-hand corner, tap the menu icon (the circle with three dots inside),
then tap Settings.

3. Tap Display.

4. Tap a resolution from the list.

5. Tap the back arrow (<), then tap the X mark.

Use full display or home indicator area

On iPadOS, you can set Use Full Display. Toggling this on will use the full display of your
device, but will result in some content from the remote session being obscured, such as
graphics n the rounded corners of the screen.

1. Open the RD Client application on your device.

2. In the top left-hand corner, tap the menu icon (the circle with three dots inside),
then tap Settings.

3. Tap Display.

4. Toggle Use Full Display.

5. Tap the back arrow (<), then tap the X mark.

On iOS, you can set Use Home Indicator Area. Toggling this on will show graphics from
the remote session in the area at the bottom of the screen occupied by the Home
indicator. This setting only applies in landscape orientation. For more information about
display orientation, see Set orientation. To set Use Home Indicator Area:

1. Open the RD Client application on your device.

2. In the top left-hand corner, tap the menu icon (the circle with three dots inside),
then tap Settings.

3. Tap Display.

4. Toggle Use Home Indicator Area.

 5. Tap the back arrow (<), then tap the X mark.

Connection bar and session overview menu

When you've connected to Azure Virtual Desktop, you'll see a bar at the top, which is
called the connection bar. This gives you quick access to a zoom control, represented
by a magnifying glass icon, and the ability to toggle between showing and hiding the
on-screen keyboard. You can move the connection bar around the top and side edges
of the display by tapping and dragging it to where you want it. If you tap and hold the
zoom control, you can choose the percentage by which to zoom by using the slider. If
you use a keyboard, you can also show and hide the connection bar by pressing Shift +
CMD + Space bar .

The middle icon in the connection bar is of the Remote Desktop logo. If you tap this, it
shows the session overview screen. The session overview screen enables you to:

Go to the Connection Center using the Home icon.

Switch inputs between touch and the mouse pointer (when not using a separate
mouse).
Switch between active desktops and apps.
Disconnect all active sessions.

Pressing Tab on a keyboard will switch between the PCs and Apps tab in the session
overview menu. You can also use arrow keys to navigate and select an active session to
open.

You can return back to an active session from the Connection Center using the Return
Arrow button found in the bottom right corner of the Connection Center.

Input methods
The Remote Desktop client supports native touch gestures, keyboard, mouse, and
trackpad.

Use touch gestures and mouse modes in a remote session

You can use touch gestures to replicate mouse actions in your remote session. Two
mouse modes are available:

Direct touch: where you tap on the screen is the equivalent to clicking a mouse in
that position. The mouse pointer isn't shown on screen.
 Mouse pointer: The mouse pointer is shown on screen. When you tap the screen
and move your finger, the mouse pointer will move.

If you connect to Windows 10 or later with Azure Virtual Desktop, native Windows touch
and multi-touch gestures are supported in direct touch mode.

The following table shows which mouse operations map to which gestures in specific
mouse modes:

ﾉ Expand table

Mouse Mouse Gesture

mode operation

Direct touch Left-click Tap with one finger

Direct touch Right-click Tap and hold with one finger

Mouse Left-click Tap with one finger

pointer

Mouse Left-click and Double-tap and hold with one finger, then drag
pointer drag

Mouse Right-click Tap with two fingers, or tap and hold with one finger
pointer

Mouse Right-click drag Double-tap and hold with two fingers, then drag
pointer

Mouse Mouse wheel Tap and hold with two fingers, then drag up or down
pointer

Mouse Zoom With two fingers, pinch to zoom out and spread fingers apart
pointer to zoom in

Keyboard
You can use familiar keyboard shortcuts when using a keyboard with your iPad or
iPhone and Azure Virtual Desktop. Mac and Windows keyboard layouts differ slightly -
for example, the Command key on a Mac keyboard equals the Windows key on a Windows
keyboard. To help with the differences this makes when using keyboard shortcuts, the
Remote Desktop client automatically maps common shortcuts found in iOS and iPadOS
so they'll work in Windows. These are:

ﾉ Expand table
 Key combination Function

CMD + C Copy

CMD + X Cut

CMD + V Paste

CMD + A Select all

CMD + Z Undo

CMD + F Find

CMD + + Zoom in

CMD + - Zoom out

In addition, the Alt key to the right of the space bar on a Mac keyboard equals the
Alt Gr in Windows.

Mouse and trackpad

You can use a mouse or trackpad with the Remote Desktop app. However, support for
these devices depends on whether you're using iOS or iPadOS. iPadOS natively supports
a mouse and trackpad as an input method; for more information, see Connect a
Bluetooth mouse or trackpad to your iPad .

On iOS, the only native support for a mouse and trackpad is through AssistiveTouch.
AssistiveTouch provides a cursor emulating touch input, so it doesn't support right-click
actions or external monitor support, so we don't recommend using it with the Remote
Desktop app. For iPhone users projecting a remote session to a larger external monitor,
we recommend the following options:

1. Use the Remote Desktop app as touchpad, where the iPhone itself can serve as a
touchpad for the remote session. The app will automatically convert to a touchpad
once connected to external monitor.

2. Use a bluetooth mouse from the SwiftPoint PenGrip Models, which are compatible
with the Remote Desktop app. The following models are supported:

Swiftpoint ProPoint
Swiftpoint PadPoint
SwiftPoint GT
 In order to benefit from the Swiftpoint integration, you must connect a Swiftpoint
mouse to your iPhone and in the Remote Desktop app:

a. Put the mouse in pairing mode for bluetooth.

b. Open the Settings app on your iPhone, then select Bluetooth.

c. The mouse should be listed under Other devices. Tap the name of the mouse to
pair it.

d. Open the RD Client application on your device.

e. In the top left-hand corner, tap the menu icon (the circle with three dots inside),
then tap Settings.

f. Tap Input Devices, then in the list of the devices, tap the name of the Swiftpoint
mouse you want to use.

g. Tap the back arrow (<), then tap the X mark. You're ready to connect to a
remote session and use the Swiftpoint mouse.

Redirections
The Remote Desktop client enables you to make your local clipboard available in your
remote session. By default, text you copy on your iOS or iPadOS device is available to
paste in your remote session, and text you copy in your remote session is available to
paste on your iOS or iPadOS device.

General app settings

To set other general settings of the Remote Desktop app to use with Azure Virtual
Desktop:

1. Open the RD Client application on your device.

2. In the top left-hand corner, tap the menu icon (the circle with three dots inside),
then tap Settings.

3. You can change the following settings:

ﾉ Expand table
 Setting Value Description

Show PC Toggle On or Off Show thumbnails of remote sessions.

Thumbnails

Allow Display Toggle On or Off Allow your device to turn off its screen.
Auto-Lock

Use HTTP Proxy Toggle On or Off Use the HTTP proxy specified in iOS/iPadOS
network settings.

Appearance Select from Light, Set the appearance of the Remote Desktop
Dark, or System client.

Send Data to Toggle On or Off Help improve the Remote Desktop client by
Microsoft sending anonymous data to Microsoft.

Test the beta client

If you want to help us test new builds before they're released, you should download our
beta client. Organizations can use the beta client to validate new versions for their users
before they're generally available.

７ Note

The beta client shouldn't be used in production.

You can download the beta client for iOS and iPadOS from TestFlight. To get started, see
Microsoft Remote Desktop for iOS .

Provide feedback
If you want to provide feedback to us on the Remote Desktop client for iOS and iPadOS,
you can do so in the app:

1. Open the RD Client application on your device.

2. In the top left-hand corner, tap the menu icon (the circle with three dots inside),
then tap Settings.

3. Tap Submit feedback, which will open the feedback page in your browser.

Next steps
If you're having trouble with the Remote Desktop client, see Troubleshoot the Remote
Desktop client.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Use features of the Remote Desktop
client for Android and Chrome OS when
connecting to Azure Virtual Desktop
Article • 01/18/2023

Once you've connected to Azure Virtual Desktop using the Remote Desktop client, it's
important to know how to use the features. This article shows you how to use the
features available in the Remote Desktop client for Android and Chrome OS. If you want
to learn how to connect to Azure Virtual Desktop, see Connect to Azure Virtual Desktop
with the Remote Desktop client for Android and Chrome OS.

You can find a list of all the Remote Desktop clients at Remote Desktop clients overview.
For more information about the differences between the clients, see Compare the
Remote Desktop clients.

７ Note

Your admin can choose to override some of these settings in Azure Virtual Desktop,
such as being able to copy and paste between your local device and your remote
session. If some of these settings are disabled, please contact your admin.

Edit, refresh, or delete a workspace

To edit, refresh or delete a workspace:

1. Open the RD Client app on your device, then tap Workspaces.

2. Tap the three dots to the right-hand side of the name of a workspace where you'll
see a menu with options for Edit, Refresh, and Delete.

Edit allows you to specify a user account to use each time you connect to the
workspace without having to enter the account each time. To learn more, see
Manage user accounts.
Refresh makes sure you have the latest desktops and apps and their settings
provided by your admin.
Delete removes the workspace from the Remote Desktop client.

User accounts
Add user credentials to a workspace
You can save a user account and associate it with workspaces to simplify the connection
sequence, as the sign-in credentials will be used automatically.

1. Open the RD Client app on your device, then tap Workspaces.

2. Tap the three dots to the right-hand side of the name of a workspace, then select
Edit.

3. For User account, tap the drop-down menu, then select Add User Account to add
a new account, or select an account you've previously added.

4. If you selected Add User Account, enter a username and password, then tap Save.

5. Tap Save again to return to Workspaces.

Manage user accounts

You can save a user account and associate it with workspaces to simplify the connection
sequence, as the sign-in credentials will be used automatically. You can also remove
accounts you no longer want to use.

To save a user account:

1. Open the RD Client app on your device.

2. In the top left-hand corner, tap the menu icon (three horizontal lines), then tap
User Accounts.

3. Tap the plus icon (+).

4. Enter a username and password, then tap Save. You can then add this account to a
workspace by following the steps in Add user credentials to a workspace.

5. Tap the back arrow (<) to return to Workspaces.

To remove an account you no longer want to use:

1. Open the RD Client app on your device.

2. In the top left-hand corner, tap the menu icon (three horizontal lines), then tap
User Accounts.

3. Tap and hold the account you want to remove.

4. Tap delete (the bin icon). Confirm you want to delete the account.
 5. Tap the back arrow (<) to return to Workspaces.

Display preferences

Set orientation
You can set the orientation of the Remote Desktop client to landscape, portrait, or auto-
adjust, where it will match the orientation of your device. Auto-adjust is supported when
your remote session is running Windows 10 or later. The window will maintain the same
scaling and update the resolution to match the new orientation. This setting applies to
all workspaces.

To set the orientation:

1. Open the RD Client app on your device.

2. In the top left-hand corner, tap the menu icon (three horizontal lines), then tap
Display.

3. For orientation, tap your preference from Auto-adjust, Lock to landscape or Lock
to portrait.

4. Tap the back arrow (<) to return to Workspaces.

Set display resolution

You can choose the resolution for your remote session from a predefined list. This
setting applies to all workspaces. You'll need to reconnect to remote sessions if you
changed the resolution while connected.

To set the resolution:

1. Open the RD Client app on your device.

2. In the top left-hand corner, tap the menu icon (three horizontal lines), then tap
Display.

3. You can tap Default, Match this device, or tap + Customized for a drop-down list
of predefined resolutions. If you choose a customized resolution, you can also
choose the scaling percentage.

4. Tap the back arrow (<) to return to Workspaces.

DeX
You can use Samsung DeX with a remote session, which enables you to extend your
Android or Chromebook device's display to a larger monitor or TV.

Connection bar and session overview menu

When you've connected to Azure Virtual Desktop, you'll see a bar at the top, which is
called the connection bar. This gives you quick access to a zoom control, represented
by a magnifying glass icon, and the ability to toggle between showing and hiding the
on-screen keyboard. You can move the connection bar around the top edge of the
display by tapping and dragging it to where you want it.

The middle icon in the connection bar is of the Remote Desktop logo. If you tap this, it
shows the session overview screen. The session overview screen enables you to:

Go to the Connection Center using the Home icon.

Switch inputs between touch and the mouse pointer (when not using a separate
mouse).
Switch between active desktops and apps.
Disconnect all active sessions.

You can return back to an active session from the Connection Center using the Return
Arrow button found in the bottom right corner of the Connection Center.

Input methods
The Remote Desktop client supports native touch gestures, keyboard, mouse, and
trackpad.

Use touch gestures and mouse modes in a remote session

You can use touch gestures to replicate mouse actions in your remote session. Two
mouse modes are available:

Direct touch: where you tap on the screen is the equivalent to clicking a mouse in
that position. The mouse pointer isn't shown on screen.
Mouse pointer: The mouse pointer is shown on screen. When you tap the screen
and move your finger, the mouse pointer will move.

If you connect to Windows 10 or later with Azure Virtual Desktop, native Windows touch
and multi-touch gestures are supported in direct touch mode.
The following table shows which mouse operations map to which gestures in specific
mouse modes:

ﾉ Expand table

Mouse Mouse Gesture

mode operation

Direct touch Left-click Tap with one finger

Direct touch Right-click Tap and hold with one finger

Mouse Left-click Tap with one finger

pointer

Mouse Left-click and Double-tap and hold with one finger, then drag
pointer drag

Mouse Right-click Tap with two fingers, or tap and hold with one finger
pointer

Mouse Right-click drag Double-tap and hold with two fingers, then drag
pointer

Mouse Mouse wheel Tap and hold with two fingers, then drag up or down
pointer

Mouse Zoom With two fingers, pinch to zoom out and spread fingers apart
pointer to zoom in

Input Method Editor

The Remote Desktop client supports Input Method Editor (IME) in a remote session for
input sources. The local Android or Chrome OS IME experience will be accessible in the
remote session.

） Important

For an IME to work, the input mode needs to be in Unicode Mode. To learn more,
see Keyboard modes.

Keyboard
You can use some familiar keyboard shortcuts when using a keyboard with your Android
or Chrome OS device and Azure Virtual Desktop, for example using CTRL + C for copy.
Some Windows keyboard shortcuts are also used as shortcuts on Android and Chrome
OS devices, for example using ALT + TAB to switch between open applications. By
default, these shortcuts won't be passed through to a remote session. Depending on
your Android or Chrome OS device, you may be able to disable certain shortcuts being
used locally, where they'll then be passed through to a remote session.

Keyboard modes
There are two different modes you can use that control how keyboard input is
interpreted in a remote session: Scancode and Unicode.

With Scancode, user input is redirected by sending key press up and down information
to the remote session. Each key is identified by its physical position on the keyboard and
uses the keyboard layout of the remote session, not the keyboard of the local device.
For example, scancode 31 is the key next to Caps Lock . On a US keyboard this key would
produce the character "A", while on a French keyboard this key would produce the
character "Q".

With Unicode, user input is redirected by sending each character to the remote session.
When a key is pressed, the locale of the user is used to translate this input to a
character. This can be as simple as the character "a" by simply pressing the "a" key, but
it can enable an Input Method Editor (IME), allowing you to input multiple keystrokes to
create more complex characters, such as for Chinese and Japanese input sources. Below
are some examples of when to use each mode.

When to use Scancode:

Dealing with characters that aren't printable, such as Arrow Up or shortcut

combinations.

Certain applications that don't accept Unicode input for characters such as: Hyper-
V VMConnect (for example, no way to input a BitLocker password), VMware
Remote Console, all applications written using the Qt framework (for example R
Studio, TortoiseHg, QtCreator).

Applications that utilize scancode input for actions, such as Space bar to
check/uncheck a checkbox, or individual keys as shortcuts, for example
applications in browser.

When to use Unicode:

To avoid a mismatch in expectations. A user who expects the keyboard to behave

in a certain way can run into issues where there are differences for the same
 locale/region layout.

When the keyboard layout used on the client might not be available on the server.

By default, the Remote Desktop client uses Unicode. To switch between keyboard
modes:

1. Open the RD Client app on your device.

2. In the top left-hand corner, tap the menu icon (three horizontal lines), then tap
General.

3. Toggle Use scancode input when available to On to use scancode, or Off to use
Unicode.

Redirections
You can allow the remote computer to the clipboard on your local device. When you
connect to a remote session, you'll be prompted whether you want to allow access to
local resources. The Remote Desktop client supports copying and pasting text only.

To use the clipboard between your local device and your remote session:

1. Open the RD Client app on your device.

2. Tap one of the icons to launch a session to Azure Virtual Desktop.

3. For the prompt Make sure you trust the remote PC before you connect, check the
box for Clipboard, then select Connect.

General app settings

To set other general settings of the Remote Desktop app to use with Azure Virtual
Desktop:

1. Open the RD Client app on your device.

2. In the top left-hand corner, tap the menu icon (three horizontal lines), then tap
General.

3. You can change the following settings:

ﾉ Expand table
 Setting Value Description

Show desktop Toggle On or Off Show thumbnails of remote sessions.

previews

Use HTTP Proxy Toggle On or Off Use the HTTP proxy specified in Android or
Chrome OS network settings.

Help improve Toggle On or Off Send anonymous data to Microsoft.

Remote Desktop

Theme Select from Light, Set the appearance of the Remote Desktop
Dark, or System client.

Test the beta client

If you want to help us test new builds before they're released, you should download our
beta client. Organizations can use the beta client to validate new versions for their users
before they're generally available.

７ Note

The beta client shouldn't be used in production environments.

You can download the beta client for Android and Chrome OS from Google Play .
You'll need to give consent to access preview versions and download the client. You'll
receive preview versions directly through the Google Play Store.

Provide feedback
If you want to provide feedback to us on the Remote Desktop client for Android and
Chrome OS, you can do so in the app:

1. Open the RD Client app on your device.

2. In the top left-hand corner, tap the menu icon (three horizontal lines), then tap
General.

3. Tap Submit feedback, which will open the feedback page in your browser.

Next steps
If you're having trouble with the Remote Desktop client, see Troubleshoot the Remote
Desktop client.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Compare Remote Desktop app features
across platforms and devices
Article • 10/08/2024

 Tip

This article is shared for services and products that use the Remote Desktop
Protocol (RDP) to provide remote access to Windows desktops and apps.

Use the buttons at the top of this article to select what you want to connect to so
the article shows the relevant information.

The Remote Desktop app is available on Windows, macOS, iOS and iPadOS, Android and
Chrome OS, and in a web browser. However, support for some features differs across
these platforms. This article details which features are supported on which platforms.

There are three versions of the Remote Desktop app for Windows, which are all
supported for connecting to Azure Virtual Desktop:

Standalone download as an MSI installer. This is the most common version of the
Remote Desktop app for Windows and is referred to in this article as Windows
(MSI).

Azure Virtual Desktop app from the Microsoft Store. This is a preview version of
the Remote Desktop app for Windows and is referred to in this article as Windows
(AVD Store).

Remote Desktop app from the Microsoft Store. This version is no longer being
developed and is referred to in this article as Windows (RD Store).

Experience
The following table compares which Remote Desktop app experience features are
supported on which platforms:

ﾉ Expand table
 Feature Windows Windows Windows macOS iOS/ Android/ Web
(MSI) (AVD (RD iPadOS Chrome browser
Store) Store) OS

Appearance ✔ ✔ ✔ ✔ ✔ ✔ ✔
(dark or light)

Integrated ✔ ✔ X X X X X
apps

Localization ✔ ✔ ✔ X ✔ X ✔

Pin to Start X X ✔ X X X X
Menu

Search X X X ✔ ✔ ✔ ✔

URI schemes ✔ ¹ ✔ ¹ X X X X X

1. ms-rd and ms-avd URI schemes only.

The following table provides a description for each of the experience features:

ﾉ Expand table

Feature Description

Appearance (dark or light) Change the appearance of the Remote Desktop app to be light or
dark.

Integrated apps Individual apps using RemoteApp are integrated with the local
device as if they're running locally.

Localization User interface available in languages other than English (United

States).

Pin to Start Menu Pin your favorite devices and apps to the Windows Start Menu for
quick access.

Search Quickly search for devices or apps.

Uniform Resource Identifier Start the Remote Desktop app or connect to a remote session with
(URI) schemes specific parameters and values with a URI.

Display
The following table compares which display features are supported on which platforms:
 ﾉ Expand table

Feature Windows Windows Windows macOS iOS/ Android/ Web

(MSI) (AVD (RD iPadOS Chrome browser
Store) Store) OS

Dynamic ✔ ✔ ✔ ✔ ✔ ✔ ✔
resolution

External ✔ ✔ X ✔ ✔ X X
monitor

Multiple ✔ ✔ X ✔ X X X
monitors¹

Selected ✔ ✔ X X ✔ X X
monitors

Smart sizing ✔ ✔ ✔ ✔ X X X

1. Up to 16 monitors.

The following table provides a description for each of the display features:

ﾉ Expand table

Feature Description

Dynamic The resolution and orientation of local displays is dynamically reflected in the
resolution remote session for desktops. If the session is running in windowed mode, the
desktop is dynamically resized to the size of the window.

External Enables the use of an external display for a remote session.

display

Multiple Enables the remote session to use all local displays.

displays
Each display can have a maximum resolution of 8K, with the total combined
resolution limited to 32K. These limits depend on factors such as session host
specification and network connectivity.

Selected Specifies which local displays to use for the remote session.
displays

Smart sizing A desktop in windowed mode is dynamically scaled to the window's size.

Multimedia
The following table shows which multimedia features are available on each platform:

ﾉ Expand table

Feature Windows Windows Windows macOS iOS/ Android/ Web

(MSI) (AVD (RD iPadOS Chrome browser
Store) Store) OS

Multimedia ✔ ✔ X X X X X
redirection

Teams media ✔ ✔ X ✔ X X X
optimizations

The following table provides a description for each of the multimedia features:

ﾉ Expand table

Feature Description

Multimedia Redirect media content from the desktop or app to the physical machine
redirection for faster processing and rendering.

Teams media Optimized Microsoft Teams calling and meeting experience.

optimizations

Redirection
The following sections detail the redirection support available on each platform.

 Tip

Redirection of some peripheral and resource types needs to be enabled by an

administrator before they can be used in a remote session. For more information,
see Redirection over the Remote Desktop Protocol, where you can also find links
in the Related content section to articles that explain how to configure redirection
for specific peripheral and resource types.

Device redirection
The following table shows which local devices you can redirect to a remote session on
each platform:
 ﾉ Expand table

Feature Windows Windows Windows macOS iOS/ Android/ Web

(MSI) (AVD (RD iPadOS Chrome browser
Store) Store) OS

Cameras ✔ ✔ X ✔ ✔ ✔ ✔ ¹

Local ✔ ✔ X ✔ ✔ ✔ ✔ ²
drive/storage

Microphones ✔ ✔ ✔ ✔ ✔ ✔ ✔

Printers ✔ ✔ X ✔ ³ X X ✔ ⁴

Scanners⁵ ✔ ✔ X X X X X

Smart cards ✔ ✔ X ✔ X X X

Speakers ✔ ✔ ✔ ✔ ✔ ✔ ✔

1. Camera redirection in a web browser is in preview.

2. Limited to uploading and downloading files through a web browser.
3. The Remote Desktop app on macOS supports the Publisher Imagesetter printer
driver by default (Common UNIX Printing System (CUPS) only). Native printer
drivers aren't supported.
4. PDF printing only.
5. High-level redirection of TWAIN scanners isn't supported. You can only redirect
USB scanners using opaque low-level redirection. For more information, see
Peripheral and resource redirection over the Remote Desktop Protocol.

The following table provides a description for each type of device you can redirect:

ﾉ Expand table

Device type Description

Cameras Redirect a local camera to use with apps like Microsoft Teams.

Local drive/storage Access local disk drives in a remote session.

Microphones Redirect a local microphone to use with apps like Microsoft Teams.

Printers Print from a remote session to a local printer.

Scanners Access a local scanner in a remote session.

Smart cards Use smart cards in a remote session.

 Device type Description

Speakers Play audio in the remote session or on local device.

Input redirection
The following table shows which input methods you can redirect:

ﾉ Expand table

Feature Windows Windows Windows macOS iOS/ Android/ Web

(MSI) (AVD (RD iPadOS Chrome browser
Store) Store) OS

Keyboard ✔ ✔ ✔ ✔ ✔ ✔ ✔

Keyboard input ✔ ✔ ✔ ✔ X X ✔ ¹
language

Keyboard ✔ ✔ ✔ ✔ ✔ ✔ ✔
shortcuts

Mouse/trackpad ✔ ✔ ✔ ✔ ✔ ² ✔ ✔

Multi-touch ✔ ✔ ✔ X ✔ ✔ X

Pen ✔ ✔ X X ✔ ✔ ✔

Touch ✔ ✔ ✔ X ✔ ✔ ✔

1. Enabled by alternative keyboard layout.

The following table provides a description for each type of input you can redirect:

ﾉ Expand table

Input type Description

Keyboard Redirect keyboard inputs to the remote session.

Mouse/trackpad Redirect mouse or trackpad inputs to the remote session.

Multi-touch Redirect multiple touches simultaneously to the remote session.

Pen Redirect pen inputs, including pressure, to the remote session.

Touch Redirect touch inputs to the remote session.

Port redirection
The following table shows which ports you can redirect:

ﾉ Expand table

Port Windows Windows Windows macOS iOS/ Android/ Web

type (MSI) (AVD (RD iPadOS Chrome browser
Store) Store) OS

Serial ✔ ✔ X X X X X

USB ✔ ✔ X X X X X

The following table provides a description for each port you can redirect:

ﾉ Expand table

Port type Description

Serial Redirect serial (COM) ports on the local device to the remote session.

USB Redirect supported USB devices on the local device to the remote session.

Other redirection
The following table shows which other features you can redirect:

ﾉ Expand table

Feature Windows Windows Windows macOS iOS/ Android/ Web

(MSI) (AVD (RD iPadOS Chrome browser
Store) Store) OS

Clipboard - ✔ ✔ ✔ ✔ ✔ ¹ ✔ ² ✔ ²
bidirectional

Clipboard - ✔ ✔ ✔ ✔ ✔ ✔ ✔
unidirectional³

Location ✔ ⁴ ✔ ⁴ X X ✔ X ✔

Third-party ✔ ✔ X X X X X
virtual channel
plugins
 Feature Windows Windows Windows macOS iOS/ Android/ Web
(MSI) (AVD (RD iPadOS Chrome browser
Store) Store) OS

Time zone ✔ ✔ ✔ ✔ ✔ ✔ ✔

WebAuthn ✔ ✔ X X X X X

1. Text and images only.

2. Text only.
3. macOS support is native in the Remote Desktop app. All other platforms require
remote session configuration. For more information, see Configure the clipboard
transfer direction and types of data that can be copied.
4. From a local device running Windows 11 only.

The following table provides a description for each other redirection feature you can
redirect:

ﾉ Expand table

Feature Description

Clipboard - Redirect the clipboard on the local device is to the remote session and
bidirectional from the remote session to the local device.

Clipboard - Control the direction in which the clipboard can be used and restrict the
unidirectional types of data that can be copied.

Location The location of the local device can be available in the remote session.

Third-party virtual Enables third-party virtual channel plugins to extend Remote Desktop
channel plugins Protocol (RDP) capabilities.

Time zone The time zone of the local device can be available in the remote session.

WebAuthn Authentication requests in the remote session can be redirected to the

local device allowing the use of security devices such as Windows Hello
for Business or a security key.

Authentication
The following sections detail the authentication support available on each platform and
the following table provides a description for each credential type:

ﾉ Expand table
 Credential type Description

Passkeys (FIDO2) Passkeys provide a standards-based passwordless authentication method

that comes in many form factors, including FIDO2 security keys. Passkeys
incorporate the web authentication (WebAuthn) standard.

Microsoft The Microsoft Authenticator app helps sign in to Microsoft Entra ID without
Authenticator using a password, or provides an extra verification option for multifactor
authentication. Microsoft Authenticator uses key-based authentication to
enable a user credential that is tied to a device, where the device uses a PIN
or biometric.

Windows Hello for Uses an enterprise managed public key infrastructure (PKI) for issuing and
Business certificate managing end user certificates.
trust

Windows Hello for Uses Microsoft Entra Kerberos, which enables a simpler deployment when
Business cloud compared to the key trust model.
trust

Windows Hello for Uses hardware-bound keys created during the provisioning experience.
Business key trust

Cloud service authentication

The authentication to the service, which includes subscribing to your resources and
authenticating to the Gateway, is with Microsoft Entra ID. For more information about
the service components of Azure Virtual Desktop, see Azure Virtual Desktop service
architecture and resilience.

The following table shows which credential types are available for each platform:

ﾉ Expand table

Feature Windows Windows Windows macOS iOS/ Android/ Web

(MSI) (AVD (RD iPadOS Chrome browser
Store) Store) OS

Passkeys ✔ ✔ ✔ ✔ ¹ ✔ ¹ X ✔
(FIDO2)

Microsoft ✔ ✔ ✔ ✔ ✔ ✔ ✔
Authenticator

Password ✔ ✔ ✔ ✔ ✔ ✔ ✔

Smart card with ✔ ✔ ✔ ✔ X X ✔

Active Directory
 Feature Windows Windows Windows macOS iOS/ Android/ Web
(MSI) (AVD (RD iPadOS Chrome browser
Store) Store) OS

Federation
Services

Smart card with ✔ ✔ ✔ ✔ ✔ X ✔

Microsoft Entra
certificate-
based
authentication

Windows Hello ✔ ✔ ✔ X X X ✔ ²
for Business
certificate trust

Windows Hello ✔ ✔ ✔ X X X ✔ ²
for Business
cloud trust

Windows Hello ✔ ✔ ✔ X X X ✔ ²
for Business key
trust

1. Available in preview. Requires macOS client version 10.9.8 or later. Requires iOS
client version 10.5.9 or later. For more information, see Support for FIDO2
authentication with Microsoft Entra ID.
2. Available when using a web browser on a local Windows device only.

Remote session authentication

When connecting to a remote session, there are multiple ways to authenticate. If single
sign-on (SSO) is enabled, the credentials used to sign into the cloud service are
automatically passed through when connecting to the remote session. The following
table shows which types of credential that can be used to authenticate to the remote
session if single sign-on is disabled:

ﾉ Expand table

Feature Windows Windows Windows macOS iOS/ Android/ Web

(MSI) (AVD (RD iPadOS Chrome browser
Store) Store) OS

Passkeys X X X X X X X
(FIDO2)
 Feature Windows Windows Windows macOS iOS/ Android/ Web
(MSI) (AVD (RD iPadOS Chrome browser
Store) Store) OS

Microsoft X X X X X X X
Authenticator

Password ✔ ✔ ✔ ✔ ✔ ✔ ✔

Smart card ✔ ¹ ✔ ¹ X ✔ ² X X X

Windows Hello ✔ ✔ X X X X X
for Business
certificate trust

Windows Hello X X X X X X X
for Business
cloud trust

Windows Hello ✔ ³ ✔ ³ X X X X X
for Business key
trust

1. Requires smart card redirection.

2. Requires smart card redirection with Network Level Authentication (NLA) disabled.
3. Requires a certificate for Remote Desktop Protocol (RDP) sign-in.

In-session authentication
The following table shows which types of credential are available when authenticating
within a remote session:

ﾉ Expand table

Feature Windows Windows Windows macOS iOS/ Android/ Web

(MSI) (AVD (RD iPadOS Chrome browser
Store) Store) OS

Passkeys ✔ ² ✔ ² X X X X X
(FIDO2)

Password ✔ ✔ ✔ ✔ ✔ ✔ ✔

Smart card ✔ ¹ ✔ ¹ X ✔ ¹ X X X

Windows Hello ✔ ² ✔ ² X X X X X
for Business
 Feature Windows Windows Windows macOS iOS/ Android/ Web
(MSI) (AVD (RD iPadOS Chrome browser
Store) Store) OS

certificate trust

Windows Hello ✔ ² ✔ ² X X X X X
for Business
cloud trust

Windows Hello ✔ ² ✔ ² X X X X X
for Business
key trust

1. Requires smart card redirection.

2. Requires WebAuthn redirection.

Security
The following table shows which security features are available on each platform:

ﾉ Expand table

Feature Windows Windows Windows macOS iOS/ Android/ Web

(MSI) (AVD (RD iPadOS Chrome browser
Store) Store) OS

Screen capture ✔ ✔ X ✔ X X X
protection

Watermarking ✔ ✔ X ✔ ✔ ✔ ✔

The following table provides a description for each security feature:

ﾉ Expand table

Feature Description

Screen capture Helps prevent sensitive information in the remote session from being
protection screen captured from the physical device.

Watermarking Helps protect sensitive information from being stolen or altered.

Network
The following table shows which network features are available on each platform:
 ﾉ Expand table

Feature Windows Windows Windows macOS iOS/ Android/ Web

(MSI) (AVD (RD iPadOS Chrome browser
Store) Store) OS

Connection ✔ ✔ X ✔ X X ✔
information

RDP Shortpath ✔ ✔ X ✔ ✔ X X
for managed
networks

RDP Shortpath ✔ ✔ X ✔ ✔ X X
for public
networks

Private Link ✔ ✔ ✔ ✔ ✔ ✔ ✔

The following table provides a description for each network feature:

ﾉ Expand table

Feature Description

Connection See the connection information of the remote session.

information

RDP Shortpath for Better connection reliability and more consistent latency through direct
managed networks UDP-based transport on a private/managed network connection.

RDP Shortpath for Better connection reliability and more consistent latency through direct
public networks UDP-based transport on a public network connection.

Private Link Connect a remote session over a private connection.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Install the Remote Desktop client for
Windows on a per-user basis with
Intune or Configuration Manager
Article • 01/23/2024

You can install the Remote Desktop client for Windows on either a per-system or per-
user basis. Installing it on a per-system basis installs the client on the machines for all
users by default, and administrators control updates. Per-user installation installs the
application to a subfolder within the local AppData folder of each user's profile,
enabling users to install updates without needing administrative rights.

When you install the client using msiexec.exe , per-system is the default method of
client installation. You can use the parameters ALLUSERS=2 MSIINSTALLPERUSER=1 with
msiexec to install the client per-user, however if you're deploying the client with Intune

or Configuration Manager, using msiexec directly to install the client causes it to be

installed per-system, regardless of the parameters used. Wrapping the msiexec
command in a PowerShell script enables the client to be successfully installed per-user.

Prerequisites
In order to install the Remote Desktop client for Windows on a per-user basis with
Intune or Configuration Manager, you need the following things:

Download the latest version of the Remote Desktop client for Windows.

Supported Windows devices managed by Microsoft Intune or Configuration

Manager with permission to add applications.

For Intune, you need a local Windows device to use the Microsoft Win32 Content
Prep Tool .

Install the Remote Desktop client per-user

using a PowerShell script
To install the client on a per-user basis using a PowerShell script, select the relevant tab
for your scenario and follow the steps.

Intune
Here's how to install the client on a per-user basis using a PowerShell script with
Intune as a Windows app (Win32).

1. Create a new folder on your local Windows device and add the Remote
Desktop client .msi file you downloaded.

2. Within that folder, create a PowerShell script file called Install.ps1 and add
the following content, replacing <RemoteDesktop> with the filename of the
.msi file you downloaded:

PowerShell

msiexec /i <RemoteDesktop>.msi /qn ALLUSERS=2 MSIINSTALLPERUSER=1

3. In the same folder, create a PowerShell script file called Uninstall.ps1 and
add the following content:

PowerShell

$productCode = (Get-WmiObject -Class Win32_Product | Where-Object

{$_.Name -eq 'Remote Desktop' -and $_.Vendor -eq 'Microsoft
Corporation'}).IdentifyingNumber

msiexec /x $productCode /qn

4. In the same folder, create a PowerShell script file called Detection.ps1 and
add the following content:

PowerShell

If (([string](Get-ChildItem
Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
| Where-Object {$_.GetValue('DisplayName') -eq 'Remote Desktop'}))
-and (Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -
eq 'Remote Desktop' -and $_.Vendor -eq 'Microsoft Corporation'})) {
Write-Host "Microsoft Remote Desktop client is installed"
exit 0
} else {
Write-Host "Microsoft Remote Desktop client isn't installed"
exit 1
}

5. Follow the steps in Prepare Win32 app content for upload to package the
contents of the folder into an .intunewin file.
 6. Follow the steps in Add, assign, and monitor a Win32 app in Microsoft Intune
to add the Remote Desktop client. Here's some of the information you need
to specify during the process. You can leave the rest of the settings as default
or update them as needed.

ﾉ Expand table

Parameter Value/Description

Name Enter Remote Desktop .

Publisher Enter Microsoft Corporation .

Install command powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden

-File .\Install.ps1

Uninstall command powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden

-File .\Uninstall.ps1

Install behavior Select User.

Operating system Select 64-bit or 32-bit, depending on the version of the

architecture Remote Desktop client you downloaded.

Minimum operating Select the minimum version of Windows in your environment

system and that is in support.

Detection rules Select Use a custom detection script.

format

Detection script file Select the file Detection.ps1 you created earlier.

Next steps
Learn more about the Remote Desktop client at Use features of the Remote Desktop
client for Windows.
Uniform Resource Identifier schemes
with the Remote Desktop client for
Azure Virtual Desktop
Article • 06/04/2024

You can use Uniform Resource Identifier (URI) schemes to invoke the Remote Desktop
client with specific commands, parameters, and values for use with Azure Virtual
Desktop. For example, you can subscribe to a workspace or connect to a particular
desktop or RemoteApp.

This article details the available commands and parameters, along with some examples.

Supported clients
The following table lists the supported clients for use with the URI schemes:

ﾉ Expand table

Client Version

Remote Desktop client for Windows 1.2.4065 and later

Available URI schemes

There are two URI schemes for supported Remote Desktop clients, ms-avd and ms-rd.
With ms-avd, you can specify a particular Azure Virtual Desktop resource and user with
which to connect. With ms-rd, you can automatically subscribe to a workspace in the
Remote Desktop client, rather than having to manually add the workspace.

The following sections detail the commands and parameters you can use with each URI
scheme.

ms-avd
The ms-avd Uniform Resource Identifier scheme for Azure Virtual Desktop is now
generally available. Here's the list of currently supported commands for ms-avd and
their corresponding parameters.
ms-avd:connect
ms-avd:connect locates a specified Azure Virtual Desktop resource and initiates the RDP

session, directly connecting a specified user to that resource.

Command name: connect

Command parameters:

ﾉ Expand table

Parameter Values Description

workspaceid Object ID (GUID). Specify the object ID of a valid workspace.

To get the object ID value using PowerShell, see

Retrieve the object ID of a host pool, workspace,
application group, or application. You can also use
Desktop Virtualization REST APIs.

resourceid Object ID (GUID). Specify the object ID of a published resource

contained in the workspace. The value can be for a
desktop or RemoteApp.

To get the object ID value using PowerShell, see

Retrieve the object ID of a host pool, workspace,
application group, or application. You can also use
Desktop Virtualization REST APIs.

user User Principal Name Specify a valid user with access to specified
(UPN), for example resource.
[email protected] .

env (optional) avdarm (commercial Specify the Azure cloud where resources are
Azure) located.
avdgov (Azure
Government)

version 0 Specify the version of the connect URI scheme to

use.

launchpartnerid GUID. Specify the partner or customer-provided ID that

(optional) you can use with Azure Virtual Desktop
Diagnostics to help with troubleshooting. We
recommend using a GUID, which you can generate
with the New-Guid PowerShell cmdlet.

peeractivityid GUID. Specify the partner or customer-provided ID that

(optional) you can use with Azure Virtual Desktop
Diagnostics to help with troubleshooting. We
 Parameter Values Description

recommend using a GUID, which you can generate

with the New-Guid PowerShell cmdlet.

usemultimon true or false Specify whether the remote session will use one or
multiple displays from the local computer.

Example:

ms-avd:connect?workspaceId=1638e073-63b2-46d8-bd84-
ea02ea905467&resourceid=c2f5facc-196f-46af-991e-
a90f3252c185&[email protected]&version=0

ms-rd
Here's the list of currently supported commands for ms-rd and their corresponding
parameters.

 Tip

Using ms-rd: without any commands launches the Remote Desktop client.

ms-rd:subscribe
ms-rd:subscribe launches the Remote Desktop client and starts the subscription

process.

Command name: subscribe

Command parameters:

ﾉ Expand table

Parameter Values Description

url A valid URL, such as https://rdweb.wvd.microsoft.com . Specify a workspace URL.

Example:
 ms-rd:subscribe?url=https://rdweb.wvd.microsoft.com

Known Limitations
Here are known limitations with the URI schemes:

Display properties cannot be configured via URI. You can configure display
properties as an admin on a host pool or end users can configure display
properties in the Azure Virtual Desktop client.

Next steps
Learn how to Connect to Azure Virtual Desktop with the Remote Desktop client for
Windows.
Peripheral and resource redirection over
the Remote Desktop Protocol
Article • 08/09/2024

Redirection enables users to share resources and peripherals, such as the clipboard,
webcams, USB devices, printers, and more, between their local device (client-side) and a
remote session (server-side) over the Remote Desktop Protocol (RDP). Redirection aims
to provide a seamless remote experience, comparable to the experience using their local
device. This experience helps users be more productive and efficient when working
remotely. As an administrator, you can configure redirection to help balance between
your security requirements and the needs of your users.

This article provides detailed information about redirection methods across difference
peripheral classes, redirection classifications, and the supported types of resources and
peripherals you can redirect.

Redirection methods and classifications

RDP leverages two redirection methods to redirect resources and peripherals between
the local device and a remote session:

High-level redirection: functions as an intelligent intermediary by intercepting and

optimizing all communication for a specific class of peripherals or experience.
High-level redirection ensures the best possible performance for remote scenarios,
but also relies on peripheral driver and application support.

Opaque low-level redirection: transports the raw communication of a peripheral

without any attempt to interpret, understand, throttle, or optimize it for remote
scenarios.

Opaque low-level redirection is used for peripherals that connect via USB where a
suitable high-level peripheral reflection redirection solution doesn't exist, and for
peripherals that have particular driver or software requirements in the remote
session to work properly. USB redirection happens at the port and protocol level
using USB request blocks (URB). Opaque low-level redirection is also used for
peripherals that connect via serial/COM ports.

Within high-level redirection, there are four overarching techniques that are used, which
are classified based on the direction of the redirection and the type of resource or
peripheral being redirected. The four high-level redirection classifications are:
 Peripheral reflection: reflects a specific class of peripheral connected to the local
device into a remote session. This classification includes input devices, such as
keyboard, mouse, touch, pen, and trackpad.

Data sharing: shares and transfers data between the local device and a remote
session for the clipboard.

State reflection: reflects the local device state into a remote session, such as its
battery status and location.

Application splitting: splits the functionality of an application across the local

device and a remote session, such as Microsoft Teams.

The redirection method used can vary based on the peripheral class, such as Windows,
macOS, iOS/iPadOS, or Android, and its available resources, peripherals, and capabilities.
What redirection is available in a remote session is also dependent on the application
used. For a comparison of the support for redirection using Windows App across
different platforms, see Compare Windows App features across platforms and devices.

） Important

You should use high-level redirection whenever possible, as it provides the best
performance and user experience. Opaque low-level redirection is effectively a
fallback scenario, so performance, reliability, and the supported feature set of such
peripherals isn't guaranteed by default.

Some peripherals can't be redirected, such as encrypted USB storage.

USB redirection comparison

The following table compares redirecting a USB peripheral using opaque low-level USB
redirection to redirecting the peripheral using high-level redirection with a supported
peripheral class over RDP:

ﾉ Expand table

Opaque low-level USB redirection High-level redirection

Requires the driver for the USB peripheral to be Requires the driver for the peripheral to be
installed in the remote session. Doesn't require installed on the local device. In most cases, it
the driver to be installed on the local device. doesn't require the driver to be installed in the
remote session.
 Opaque low-level USB redirection High-level redirection

Uses a single redirection method for many Uses a specific redirection method for each
peripheral classes. peripheral class.

Forwards USB request blocks to and from the Exposes high-level peripheral functionality in a
USB peripheral over the RDP connection. remote session by using an optimized protocol
for the peripheral class.

The USB peripheral can't be used on the local The peripheral can be used simultaneously on
device while it's being used in a remote the local device and in a remote session.
session. It can only be used in one remote
session at a time.

Optimized for low latency connections. Variable Optimized for LAN and WAN connections and
based on peripheral driver implementation. is aware of changes in conditions, such as
bandwidth and latency.

Controlling opaque low-level USB redirection

Redirecting USB peripherals using opaque low-level USB redirection is controlled by the
RDP property usbdevicestoredirect:s:<value> , where <value> is the device instance
path in the format USB\<Vendor ID and Product ID>\<USB instance ID> .

For some products and services, such as Azure Virtual Desktop, you can control
redirection behavior by setting the RDP property value as follows:

Some USB peripherals might have functions that use opaque low-level USB
redirection or high-level redirection. By default, these peripherals are redirected
using high-level redirection. You can use the RDP property to force these
peripherals to use opaque low-level USB redirection. To use USB audio peripherals
with opaque low-level USB redirection, the audio output location must be set to
play sounds on the local computer.

Use class GUIDs to redirect or not redirect an entire class of USB peripherals.

Use the wildcard * as the value will redirect most peripherals that don't have high-
level redirection mechanisms or drivers installed. Class GUIDs can be used to
redirect additional peripherals that aren't matched automatically.

Values can be used on their own, or a combination of these values can be used in
conjunction with each other when separated with a semicolon, subject to a processing
order. The following table lists the valid values and the processing order:

ﾉ Expand table
 Processing Value Description
order

N/A No value specified Don't redirect any supported USB peripherals using
opaque low-level redirection.

1 * Redirect all peripherals that aren't using high-level

redirection.

2 {<DeviceClassGUID>} Redirect all peripherals that are members of the

specified device setup class.

3 <USBInstanceID> Redirect a USB peripheral specified by the given device

instance path.

4 <-USBInstanceID> Don't redirect a peripheral specified by the given device

instance path.

When constructed as a string in the correct processing order, the syntax is:

uri

usbdevicestoredirect:s:*;{<DeviceClassGUID>};<USBInstanceID>;<-
USBInstanceID>

The device instance path for USB devices, is constructed in three sections in the format
USB\<Device ID>\<USB instance ID> . You can find this value in Device Manager, or by

using the Get-PnpDevice PowerShell cmdlet. The three sections in order are:

1. Bus driver name, in this case USB.

2. Device ID, which contains the Vendor ID (VID) and Product ID (PID) of the USB
peripheral.
3. Instance ID, which uniquely distinguishes a device from other devices of the same
type on a computer.

When specifying USB peripherals to redirect over RDP, you can use the device instance
path. When using the device instance path, the value is specific to the port on the local
device to which it's connected. For example, a peripheral connected to the first USB port
has the device instance path USB\VID_045E&PID_0779\5&21F6DCD1&0&5 , but connecting the
same peripheral to the second USB port has the device instance path
USB\VID_045E&PID_0779\5&21F6DCD1&0&6 . For USB peripherals, specifying the device

instance path means the peripheral is only redirected when connected to the same port.

Alternatively you can redirect an entire device setup class of USB peripherals by using
the class GUID. When using the class GUID, all peripherals on the local device that have
the corresponding class GUID are redirected, regardless of the port to which they're
connected. For example, using the class GUID {4d36e96c-e325-11ce-bfc1-08002be10318}
redirects all multimedia devices. A list of all the class GUIDs is available at System-
Defined Device Setup Classes Available to Vendors.

For some examples of how to use the RDP property, see usbdevicestoredirect RDP
property.

Supported resources and peripherals

The following table lists each supported resource or peripheral class and the
recommended redirection method to use for each:

ﾉ Expand table

Resource or peripheral class Redirection method Predominant data

flow direction

All-in-one printer/scanner Opaque low-level Bidirectional

redirection

Audio input - microphone (USB or integrated) High-level - Local to remote

peripheral reflection

Audio output - speaker (USB or integrated) High-level - Remote to local

peripheral reflection

Battery (automatic, not configurable) High-level - state Local to remote

reflection

Biometric reader (only within a session, not Opaque low-level Bidirectional

during logon) redirection

Camera/webcam (USB or integrated) High-level - Local to remote

peripheral reflection

CD/DVD drive (read-only) High-level - Local to remote

peripheral reflection

Clipboard High-level - data Bidirectional

sharing

Keyboard (USB or integrated) High-level - Local to remote

peripheral reflection

Local hard drive or USB removable storage High-level - Bidirectional

peripheral reflection

Location High-level - state Local to remote

Resource or peripheral class Redirection method Predominant data
flow direction

reflection

Mouse (USB or integrated) High-level - Local to remote

peripheral reflection

MTP Media Player High-level - Local to remote

peripheral reflection

Multimedia redirection High-level - Bidirectional

application splitting

Pen (USB or integrated) High-level - Local to remote

peripheral reflection

Printer (locally attached or network) High-level - Remote to local

peripheral reflection

PTP camera High-level - Local to remote

peripheral reflection

Scanner Opaque low-level Bidirectional

redirection

Serial/COM port Opaque low-level Bidirectional

redirection

Smart card reader High-level - Bidirectional

peripheral reflection

Touch (USB or integrated) High-level - Local to remote

peripheral reflection

Trackpad (USB or integrated, excluding High-level - Local to remote

precision touch pad (PTP) gestures) peripheral reflection

USB to serial adapter Opaque low-level Bidirectional

redirection

VoIP Telephone/Headset Opaque low-level Bidirectional

redirection

WebAuthN High-level - Bidirectional

peripheral reflection

７ Note

The following peripheral classes are blocked from redirection:

USB network adapters.
 USB displays.

Scanner redirection doesn't include TWAIN support.

Battery redirection is only available for Azure Virtual Desktop and Windows
365. It's automatically available and not configurable.

Redirecting the bluetooth driver stack isn't supported. If a peripheral is

connected to the local device, such as a bluetooth keyboard, it's redirected to
the remote session based on the supported peripheral class.

The following diagram shows the redirection methods used for each peripheral class:

Windows App
(local device)
Opaque low-level High-level

USB Serial/COM port Peripheral Data State Application

reflection sharing reflection splitting

Audio/ Storage Printer Security Clipboard Battery Location

video status

Audio input Smart card

Audio output WebAuthn


Video encoding
Camera/webcam
Video capture

Configuration priority order

Which device classes are enabled for redirection and how redirections behave are
configured by an administrator of a remote session. The behavior can be configured by
Microsoft Intune or Group Policy (Active Directory or local) server-side, or specified in an
.rdp file that is used to connect to a remote session. Azure Virtual Desktop and Remote

Desktop Services also have a broker service where RDP properties can be specified
instead.

However, certain settings can be overridden on the local device where a more restrictive
configuration is required. A more restrictive setting takes precedence wherever it's
configured; for example, if an administrator configures the clipboard to be redirected by
default for all remote sessions, but the local device is configured to disable clipboard
redirection, the clipboard isn't available in the remote session. This provides flexibility in
scenarios where a subset of users or devices require more restrictive settings than the
default configuration.

Related content
Configure audio and video redirection over the Remote Desktop Protocol.
Configure camera, webcam, and video capture redirection over the Remote
Desktop Protocol.
Configure clipboard redirection over the Remote Desktop Protocol.
Configure fixed, removable, and network drive redirection over the Remote
Desktop Protocol.
Configure location redirection over the Remote Desktop Protocol.
Configure Media Transfer Protocol and Picture Transfer Protocol redirection on
Windows over the Remote Desktop Protocol.
Configure printer redirection over the Remote Desktop Protocol.
Configure serial or COM port redirection over the Remote Desktop Protocol.
Configure smart card redirection over the Remote Desktop Protocol.
Configure USB redirection on Windows over the Remote Desktop Protocol.
Configure WebAuthn redirection over the Remote Desktop Protocol.
Supported RDP properties.
Compare Windows App features across platforms and devices.
Compare Remote Desktop app features across platforms and devices.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Configure audio and video redirection
over the Remote Desktop Protocol
Article • 08/09/2024

 Tip

This article is shared for services and products that use the Remote Desktop
Protocol (RDP) to provide remote access to Windows desktops and apps.

Select a product using the buttons at the top of this article to show the relevant
content.

You can configure the redirection behavior of audio peripherals, such as microphones
and speakers, between a local device and a remote session over the Remote Desktop
Protocol (RDP).

For Azure Virtual Desktop, we recommend you enable audio and video redirection on
your session hosts using Microsoft Intune or Group Policy, then control redirection using
the host pool RDP properties.

This article provides information about the supported redirection methods and how to
configure the redirection behavior for audio and video peripherals. To learn more about
how redirection works, see Redirection over the Remote Desktop Protocol.

 Tip

If you use the following features in a remote session, they have their own
optimizations that are independent from the redirection configuration on the
session host, host pool RDP properties, or local device.

Microsoft Teams for camera, microphone, and audio redirection.

Multimedia redirection for audio, video and call redirection.

Prerequisites
Before you can configure audio and video redirection, you need:

An existing host pool with session hosts.

 A Microsoft Entra ID account that is assigned the Desktop Virtualization Host Pool
Contributor built-in role-based access control (RBAC) roles on the host pool as a
minimum.

An audio device you can use to test the redirection configuration.

To configure Microsoft Intune, you need:

Microsoft Entra ID account that is assigned the Policy and Profile manager built-
in RBAC role.
A group containing the devices you want to configure.

To configure Group Policy, you need:

A domain account that has permission to create or edit Group Policy objects.
A security group or organizational unit (OU) containing the devices you want to
configure.

You need to connect to a remote session from a supported app and platform. To
view redirection support in Windows App and the Remote Desktop app, see
Compare Windows App features across platforms and devices and Compare
Remote Desktop app features across platforms and devices.

Configure audio output redirection

Audio output redirection controls where audio signals from the remote session are
played. Configuration of a session host or setting an RDP property on a host pool
governs the ability to play audio from a remote session, which is subject to a priority
order.

Session host configuration controls whether audio and video playback redirection is
enabled together with the audio playback quality and is set using Microsoft Intune or
Group Policy. A host pool RDP property controls whether to play audio and the audio
output location over the Remote Desktop Protocol.

The default configuration is:

Windows operating system: Audio and video playback redirection isn't blocked.
Azure Virtual Desktop host pool RDP properties: Play sounds on the local
computer.
Resultant default behavior: Audio is redirected to the local computer.

） Important
 Take care when configuring redirection settings as the most restrictive setting is the
resultant behavior. For example, if you disable audio and video playback redirection
on a session host with Microsoft Intune or Group Policy, but enable it with the host
pool RDP property, redirection is disabled.

Configure the audio output location using host pool RDP

properties
The Azure Virtual Desktop host pool setting audio output location controls whether to
play audio from remote session in the remote session, redirected to the local device, or
disable audio. The corresponding RDP property is audiomode:i:<value> . For more
information, see Supported RDP properties.

To configure the audio output location using host pool RDP properties:

1. Sign in to the Azure portal .

2. In the search bar, type Azure Virtual Desktop and select the matching service entry.

3. Select Host pools, then select the host pool you want to configure.

4. Select RDP Properties, then select Device redirection.

 

5. For Audio output location, select the drop-down list, then select one of the
following options:

Play sounds on the local computer (default)

Play sounds on the remote computer
Do not play sounds
Not configured

6. Select Save.

7. To test the configuration, connect to a remote session and play audio. Verify that
you can hear audio as expected. Make sure you're not using Microsoft Teams or a
web page that's redirected with multimedia redirection for this test.

Configure audio and video playback redirection, and limit

audio playback quality using Microsoft Intune or Group
Policy
Select the relevant tab for your scenario.

Microsoft Intune
To allow or disable audio and video playback redirection, and limit audio playback
quality using Microsoft Intune:

1. Sign in to the Microsoft Intune admin center .

2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.

3. In the settings picker, browse to Administrative templates > Windows

Components > Remote Desktop Services > Remote Desktop Session Host >
Device and Resource Redirection.

4. Check the box for Allow audio and video playback redirection, and optionally
Limit audio playback quality, then close the settings picker.

5. Expand the Administrative templates category, then toggle the switch for
Allow audio and video playback redirection, depending on your
requirements:

To allow audio and video playback redirection, toggle the switch to

Enabled.
 To disable audio and video playback redirection, toggle the switch to
Disabled.

6. If you selected Limit audio playback quality, select the audio quality from the
drop-down list.

7. Select Next.

8. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.

9. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.

10. On the Review + create tab, review the settings, then select Create.

11. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.

12. To test the configuration, connect to a remote session and play audio. Verify
that you can hear audio as expected. Make sure you're not using Microsoft
Teams or a web page that's redirected with multimedia redirection for this
test.

Configure audio capture redirection

Audio recording redirection controls whether you want to allow peripherals such as a
microphone to be accessible in the remote session. Configuration of a session host and
setting an RDP property on a host pool governs the ability to record audio from a local
device in a remote session, which is subject to a priority order.

Session host configuration controls whether audio recording redirection is enabled and
is set using Microsoft Intune or Group Policy. A host pool RDP property controls
whether microphones are redirected over the Remote Desktop Protocol.

The default configuration is:

Windows operating system: Audio recording redirection isn't blocked.

Azure Virtual Desktop host pool RDP properties: Not configured.

） Important
 Take care when configuring redirection settings as the most restrictive setting is the
resultant behavior. For example, if you disable audio recording redirection on a
session host with Microsoft Intune or Group Policy, but enable it with the host pool
RDP property, redirection is disabled.

Configure audio input redirection using host pool RDP

properties
The Azure Virtual Desktop host pool setting microphone redirection controls whether to
redirect audio input from a local device to an audio application in a remote session. The
corresponding RDP property is audiocapturemode:i:<value> . For more information, see
Supported RDP properties.

To configure audio input redirection using host pool RDP properties:

1. Sign in to the Azure portal .

2. In the search bar, type Azure Virtual Desktop and select the matching service entry.

3. Select Host pools, then select the host pool you want to configure.

4. Select RDP Properties, then select Device redirection.

 

5. For Microphone redirection, select the drop-down list, then select one of the
following options:

Disable audio capture from the local device

Enable audio capture from the local device and redirection to an audio
application in the remote session
Not configured (default)

6. Select Save.

7. To test the configuration, connect to a remote session and verify that the audio
input redirection is as expected, such as recording audio from a microphone in an
application in the remote session.

Configure audio input redirection using Microsoft Intune

or Group Policy
Select the relevant tab for your scenario.

Microsoft Intune
To allow or disable audio input redirection using Microsoft Intune:

1. Sign in to the Microsoft Intune admin center .

2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.

3. In the settings picker, browse to Administrative templates > Windows

Components > Remote Desktop Services > Remote Desktop Session Host >
Device and Resource Redirection.

4. Check the box for Allow audio recording redirection, then close the settings
picker.

5. Expand the Administrative templates category, then toggle the switch for
Allow audio recording redirection to Enabled or Disabled, depending on
your requirements. Select Next.

6. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.
 7. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.

8. On the Review + create tab, review the settings, then select Create.

9. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.

10. To test the configuration, connect to a remote session and verify that the
audio input redirection is as expected, such as recording audio from a
microphone in an application in the remote session.

Related content
Redirection over the Remote Desktop Protocol.
Supported RDP properties.
Compare Windows App features across platforms and devices.
Compare Remote Desktop app features across platforms and devices.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Configure camera, webcam, and video
capture redirection over the Remote
Desktop Protocol
Article • 08/09/2024

 Tip

This article is shared for services and products that use the Remote Desktop
Protocol (RDP) to provide remote access to Windows desktops and apps.

Select a product using the buttons at the top of this article to show the relevant
content.

You can configure the redirection behavior of cameras, webcams, and video capture
peripherals, and also video encoding and quality, from a local device to a remote
session over the Remote Desktop Protocol (RDP).

For Azure Virtual Desktop, we recommend you enable camera, webcam, and video
capture redirection on your session hosts using Microsoft Intune or Group Policy, then
control redirection using the host pool RDP properties.

This article provides information about the supported redirection methods and how to
configure the redirection behavior for camera, webcam, and video capture peripherals.
To learn more about how redirection works, see Redirection over the Remote Desktop
Protocol.

 Tip

If you use the following features in a remote session, they have their own
optimizations that are independent from the redirection configuration on the
session host, host pool RDP properties, or local device.

Microsoft Teams for camera, microphone, and audio redirection.

Multimedia redirection for audio, video and call redirection.

Prerequisites
Before you can configure camera, webcam, and video capture redirection, you need:
 An existing host pool with session hosts.

A Microsoft Entra ID account that is assigned the Desktop Virtualization Host Pool
Contributor built-in role-based access control (RBAC) roles on the host pool as a
minimum.

A camera, webcam, or video capture device you can use to test the redirection
configuration.

To configure Microsoft Intune, you need:

Microsoft Entra ID account that is assigned the Policy and Profile manager built-
in RBAC role.
A group containing the devices you want to configure.

To configure Group Policy, you need:

A domain account that has permission to create or edit Group Policy objects.
A security group or organizational unit (OU) containing the devices you want to
configure.

You need to connect to a remote session from a supported app and platform. To
view redirection support in Windows App and the Remote Desktop app, see
Compare Windows App features across platforms and devices and Compare
Remote Desktop app features across platforms and devices.

Configure camera, webcam, and video capture

Configuration of a session host or setting an RDP property on a host pool governs the
ability to use cameras, webcams, and video capture peripherals in a remote session,
which is subject to a priority order. The configuration of the session host controls
whether cameras, webcams, and video capture peripherals can be redirected to a
remote session, and is set using Microsoft Intune or Group Policy. A host pool RDP
property controls whether cameras, webcams, and video capture peripherals can be
redirected to a remote session over the Remote Desktop Protocol, and whether to
redirect all applicable devices, or only those specified by Vendor ID (VID) and Product ID
(PID).

The default configuration is:

Windows operating system: Camera, webcam, and video capture peripheral

redirection is allowed.
Azure Virtual Desktop host pool RDP properties: Not configured.
Resultant default behavior: Camera, webcam, and video capture peripherals are
redirected to the local computer.
 ） Important

Take care when configuring redirection settings as the most restrictive setting is the
resultant behavior. For example, if you disable camera, webcam, and video capture
peripheral redirection on a session host with Microsoft Intune or Group Policy, but
enable it with the host pool RDP property, redirection is disabled.

Configure camera, webcam and video capture redirection

using host pool RDP properties
The Azure Virtual Desktop host pool setting camera redirection controls whether
cameras, webcams, and video capture peripherals are redirected from a local device to a
remote session, and optionally which devices. The corresponding RDP property is
camerastoredirect:s:<value> . For more information, see Supported RDP properties.

To configure camera, webcam and video capture redirection using host pool RDP
properties:

1. Sign in to the Azure portal .

2. In the search bar, type Azure Virtual Desktop and select the matching service entry.

3. Select Host pools, then select the host pool you want to configure.

4. Select RDP Properties, then select Device redirection.

 

5. For Camera redirection, select the drop-down list, then select one of the following
options:

Don't redirect any cameras

Redirect cameras
Manually enter list of cameras
Not configured (default)

a. If you select Manually enter list of cameras, enter the Vendor ID (VID) and
Product ID (PID) of the cameras you want to redirect using a semicolon-
delimited list of KSCATEGORY_VIDEO_CAMERA interfaces. Characters \ , : , and ;
must be escaped with a backslash character \ , and cannot end with a backslash.
For example, the value \?\usb#vid_0bda&pid_58b0&mi needs to be entered as \\?
\\usb#vid_0bda&pid_58b0&mi . You can find the VID and PID in the device instance

path in Device Manager on the local device. For more information, see Device
instance path.

6. Select Save.

7. To test the configuration, connect to a remote session with a camera, webcam, or

video capture peripheral and use it with a supported application for the peripheral,
 such as Microsoft Teams.

Configure video capture redirection using Microsoft

Intune or Group Policy
Select the relevant tab for your scenario.

Microsoft Intune

To allow or disable video capture redirection, which includes cameras and webcams,
using Microsoft Intune:

1. Sign in to the Microsoft Intune admin center .

2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.

3. In the settings picker, browse to Administrative templates > Windows

Components > Remote Desktop Services > Remote Desktop Session Host >
Device and Resource Redirection.


 4. Check the box for Do not allow video capture redirection, then close the
settings picker.

5. Expand the Administrative templates category, then toggle the switch for Do
not allow video capture redirection to Enabled or Disabled, depending on
your requirements:

To allow video capture redirection, toggle the switch to Disabled.

To disable video capture redirection, toggle the switch to Enabled.

6. Select Next.

7. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.

8. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.

9. On the Review + create tab, review the settings, then select Create.

10. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.

11. To test the configuration, connect to a remote session with a camera, webcam,
or video capture peripheral and use it with a supported application for the
peripheral. Don't use Microsoft Teams to test as it uses its own redirection
optimizations that's independent of the Remote Desktop Protocol.

Configure video encoding redirection

Video encoding redirection controls whether to encode video in a remote session or
redirected to the local device, and is configured with a host pool RDP property. The
corresponding RDP property is encode redirected video capture:i:<value> . For more
information, see Supported RDP properties.

 Tip

Redirect video encoding is different to multimedia redirection, which redirects

video playback and calls to your local device for faster processing and rendering.
To configure redirect video encoding:

1. Sign in to the Azure portal .

2. In the search bar, type Azure Virtual Desktop and select the matching service entry.

3. Select Host pools, then select the host pool you want to configure.

4. Select RDP Properties, then select Device redirection.

5. For Redirect video encoding, select the drop-down list, then select one of the
following options:

Disable encoding of redirected video

Enable encoding of redirected video
Not configured (default)

6. Select Save.

Configure encoded video quality

Encoded video quality controls the quality of encoded video between high, medium,
and low compression, and is configured with a host pool RDP property. You also need to
redirect video encoding to the local device. The corresponding RDP property is
redirected video capture encoding quality:i:<value> . For more information, see

Supported RDP properties.

To configure encoded video quality:

1. Sign in to the Azure portal .

2. In the search bar, type Azure Virtual Desktop and select the matching service entry.

3. Select Host pools, then select the host pool you want to configure.

4. Select RDP Properties, then select Device redirection.

5. For Encoded video quality, select the drop-down list, then select one of the
following options:

High compression video. Quality may suffer when there is a lot of motion
Medium compression
Low compression video with high picture quality
Not configured (default)

6. Select Save.
Related content
Redirection over the Remote Desktop Protocol.
Supported RDP properties.
Compare Windows App features across platforms and devices.
Compare Remote Desktop app features across platforms and devices.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Configure clipboard redirection over the
Remote Desktop Protocol
Article • 08/09/2024

 Tip

This article is shared for services and products that use the Remote Desktop
Protocol (RDP) to provide remote access to Windows desktops and apps.

Select a product using the buttons at the top of this article to show the relevant
content.

You can configure the redirection behavior of the clipboard between a local device and
a remote session over the Remote Desktop Protocol (RDP).

For Azure Virtual Desktop, we recommend you enable clipboard redirection on your
session hosts using Microsoft Intune or Group Policy, then control redirection using the
host pool RDP properties. Additionally, in Windows Insider Preview, you can configure
whether users can use the clipboard from session host to client, or client to session host,
and the types of data that can be copied. For more information, see Configure the
clipboard transfer direction and types of data that can be copied.

This article provides information about the supported redirection methods and how to
configure the redirection behavior for the clipboard. To learn more about how
redirection works, see Redirection over the Remote Desktop Protocol.

Prerequisites
Before you can configure clipboard redirection, you need:

An existing host pool with session hosts.

A Microsoft Entra ID account that is assigned the Desktop Virtualization Host Pool
Contributor built-in role-based access control (RBAC) roles on the host pool as a
minimum.

To configure Microsoft Intune, you need:

Microsoft Entra ID account that is assigned the Policy and Profile manager built-
in RBAC role.
A group containing the devices you want to configure.
 To configure Group Policy, you need:
A domain account that has permission to create or edit Group Policy objects.
A security group or organizational unit (OU) containing the devices you want to
configure.

You need to connect to a remote session from a supported app and platform. To
view redirection support in Windows App and the Remote Desktop app, see
Compare Windows App features across platforms and devices and Compare
Remote Desktop app features across platforms and devices.

Configure clipboard redirection

Configuration of a session host using Microsoft Intune or Group Policy, or setting an
RDP property on a host pool governs the ability to redirect the clipboard between the
remote session and the local device, which is subject to a priority order.

The default configuration is:

Windows operating system: Clipboard redirection isn't blocked.

Azure Virtual Desktop host pool RDP properties: The clipboard is available
between the remote session and the local device.
Resultant default behavior: The clipboard is redirected in both directions between
the remote session and the local device.

） Important

Take care when configuring redirection settings as the most restrictive setting is the
resultant behavior. For example, if you disable clipboard redirection on a session
host with Microsoft Intune or Group Policy, but enable it with the host pool RDP
property, redirection is disabled.

Configure clipboard redirection using host pool RDP

properties
The Azure Virtual Desktop host pool setting clipboard redirection controls whether to
redirect the clipboard between the remote session and the local device. The
corresponding RDP property is redirectclipboard:i:<value> . For more information, see
Supported RDP properties.

To configure clipboard redirection using host pool RDP properties:

1. Sign in to the Azure portal .

2. In the search bar, type Azure Virtual Desktop and select the matching service entry.

3. Select Host pools, then select the host pool you want to configure.

4. Select RDP Properties, then select Device redirection.

5. For Clipboard redirection, select the drop-down list, then select one of the
following options:

Clipboard on local computer isn't available in remote session

Clipboard on local computer is available in remote session (default)
Not configured

6. Select Save.

7. To test the configuration, connect to a remote session and copy and paste some
text between the local device and remote session. Verify that the text is as
expected.
Configure clipboard redirection using Microsoft Intune or
Group Policy
Select the relevant tab for your scenario.

Microsoft Intune

To enable or disable clipboard redirection using Microsoft Intune:

1. Sign in to the Microsoft Intune admin center .

2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.

3. In the settings picker, browse to Administrative templates > Windows

Components > Remote Desktop Services > Remote Desktop Session Host >
Device and Resource Redirection.

4. Check the box for Do not allow Clipboard redirection, then close the settings
picker.
 5. Expand the Administrative templates category, then toggle the switch for Do
not allow Clipboard redirection to Enabled or Disabled, depending on your
requirements:

To allow clipboard redirection, toggle the switch to Disabled.

To disable clipboard redirection, toggle the switch to Enabled.

6. Select Next.

7. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.

8. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.

9. On the Review + create tab, review the settings, then select Create.

10. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.

11. To test the configuration, connect to a remote session and copy and paste
some text between the local device and remote session. Verify that the text is
as expected.

） Important

If you disable drive redirection using Intune or Group Policy, it also prevents files
being transferred between the local device and remote session using the clipboard.
Other content, such as text or images, isn't affected.

Optional: Disable clipboard redirection on a local device

You can disable clipboard redirection on a local device to prevent the clipboard from
being redirected between a remote session. This method is useful if you want to enable
clipboard redirection for most users, but disable it for specific devices.

On a local Windows device, you can disable clipboard redirection by configuring the
following registry key and value:

Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Terminal Server Client

 Type: REG_DWORD
Value name: DisableClipboardRedirection
Value data: 1

For iOS/iPadOS and Android devices, you can disable clipboard redirection using Intune.
For more information, see Configure client device redirection settings for Windows App
and the Remote Desktop app using Microsoft Intune.

Related content
Redirection over the Remote Desktop Protocol.
Supported RDP properties.
Compare Windows App features across platforms and devices.
Compare Remote Desktop app features across platforms and devices.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Configure the clipboard transfer
direction and data types that can be
copied in Azure Virtual Desktop
Article • 08/13/2024

Clipboard redirection in Azure Virtual Desktop allows users to copy and paste content,
such as text, images, and files between the user's device and the remote session in
either direction. You might want to limit the direction of the clipboard for users, to help
prevent data exfiltration or malicious files being copied to a session host. You can
configure whether users can use the clipboard from session host to client, or client to
session host, and the types of data that can be copied, from the following options:

Disable clipboard transfers from session host to client, client to session host, or
both.
Allow plain text only.
Allow plain text and images only.
Allow plain text, images, and Rich Text Format only.
Allow plain text, images, Rich Text Format, and HTML only.

You apply settings to your session hosts. It doesn't depend on a specific Remote
Desktop client or its version. This article shows you how to configure the direction the
clipboard and the types of data that can be copied using Microsoft Intune or Group
Policy.

Prerequisites
To configure the clipboard transfer direction, you need:

Host pool RDP properties must allow clipboard redirection, otherwise it will be
completely blocked.

Your session hosts must be running one of the following operating systems:
Windows 11 Enterprise or Enterprise multi-session, version 22H2 or 23H2 with
the 2024-06 cumulative update (KB5039212) or later installed.
Windows 11 Enterprise or Enterprise multi-session, version 21H2 with the 2024-
06 cumulative update (KB5039213) or later installed.
Windows Server 2022 with the 2024-07 cumulative update (KB5040437) or
later installed.

Depending on the method you use to configure the clipboard transfer direction:
 For Intune, you need permission to configure and apply settings. For more
information, see Administrative template for Azure Virtual Desktop.

For configuring the local Group Policy or registry of session hosts, you need an
account that is a member of the local Administrators group.

Configure clipboard transfer direction

Here's how to configure the clipboard transfer direction and the types of data that can
be copied. Select the relevant tab for your scenario.

Intune

To configure the clipboard using Intune, follow these steps. This process creates an
Intune settings catalog policy.

1. Sign in to the Microsoft Intune admin center .

2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.

3. In the settings picker, browse to Administrative templates > Windows

Components > Remote Desktop Services > Remote Desktop Session Host >
Device and Resource Redirection.
 

4. Check the box for the following settings, making sure you select the settings
with the correct scope for your requirements, then close the settings picker. To
determine which scope is correct for your scenario, see Settings catalog -
Device scope vs. user scope settings:

Device scope settings:

Restrict clipboard transfer from server to client
Restrict clipboard transfer from client to server

User scope settings:

Restrict clipboard transfer from server to client (User)
Restrict clipboard transfer from client to server (User)

5. Expand the Administrative templates category, then toggle the switch for
each setting you added to Enabled.

6. Once each setting is enabled, a drop-down list appears from which you can
select the types of data that can be copied. Choose from the following
options:

Disable clipboard transfers from server to client or Disable clipboard

transfers from client to server
 Allow plain text
Allow plain text and images
Allow plain text, images, and Rich Text Format
Allow plain text, images, Rich Text Format, and HTML

7. Select Next.

8. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.

9. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.

10. On the Review + create tab, review the settings, then select Create.

11. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.

12. Connect to a remote session with a supported client and test the clipboard
settings you configured are working by trying to copy and paste different
types of content.

Related content
Configure Watermarking.
Configure Screen Capture Protection.
Learn about how to secure your Azure Virtual Desktop deployment at Security best
practices.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Configure fixed, removable, and
network drive redirection over the
Remote Desktop Protocol
Article • 08/09/2024

 Tip

This article is shared for services and products that use the Remote Desktop
Protocol (RDP) to provide remote access to Windows desktops and apps.

Select a product using the buttons at the top of this article to show the relevant
content.

You can configure the redirection behavior of fixed, removable, and network drives from
a local device to a remote session over the Remote Desktop Protocol (RDP).

For Azure Virtual Desktop, we recommend you enable drive redirection on your session
hosts using Microsoft Intune or Group Policy, then control redirection using the host
pool RDP properties.

This article provides information about the supported redirection methods and how to
configure the redirection behavior for drives and storage. To learn more about how
redirection works, see Redirection over the Remote Desktop Protocol.

Prerequisites
Before you can configure drive redirection, you need:

An existing host pool with session hosts.

A Microsoft Entra ID account that is assigned the Desktop Virtualization Host Pool
Contributor built-in role-based access control (RBAC) roles on the host pool as a
minimum.

Each drive you want to redirect must have a drive letter assigned on the local
device.

If you want to test drive redirection with a removable drive, you need a removable
drive connected to the local device.
 To configure Microsoft Intune, you need:
Microsoft Entra ID account that is assigned the Policy and Profile manager built-
in RBAC role.
A group containing the devices you want to configure.

To configure Group Policy, you need:

A domain account that has permission to create or edit Group Policy objects.
A security group or organizational unit (OU) containing the devices you want to
configure.

You need to connect to a remote session from a supported app and platform. To
view redirection support in Windows App and the Remote Desktop app, see
Compare Windows App features across platforms and devices and Compare
Remote Desktop app features across platforms and devices.

Configure drive redirection

Configuration of a session host using Microsoft Intune or Group Policy, or setting an
RDP property on a host pool governs the ability to redirect drives from a local device to
a remote session, which is subject to a priority order.

The default configuration is:

Windows operating system: Drive and storage redirection isn't blocked.

Azure Virtual Desktop host pool RDP properties: All drives are redirected from
the local device to a remote session, including ones that are connected later.
Resultant default behavior: All drives are redirected from the local device to a
remote session, including ones that are connected later.

） Important

Take care when configuring redirection settings as the most restrictive setting is the
resultant behavior. For example, if you disable drive and storage redirection on a
session host with Microsoft Intune or Group Policy, but enable it with the host pool
RDP property, redirection is disabled.

Configure drive redirection using host pool RDP

properties
The Azure Virtual Desktop host pool setting drive/storage redirection controls whether to
redirect drives from a local device to a remote session. The corresponding RDP property
is drivestoredirect:s:<value> . For more information, see Supported RDP properties.

To configure drive redirection using host pool RDP properties:

1. Sign in to the Azure portal .

2. In the search bar, type Azure Virtual Desktop and select the matching service entry.

3. Select Host pools, then select the host pool you want to configure.

4. Select RDP Properties, then select Device redirection.

5. For Drive/storage redirection, select the drop-down list, then select one of the
following options:

Don't redirect any drives

Redirect all disk drives, including ones that are connected later (default)
Dynamic drives: redirect any drives that are connected later
Manually enter drives and labels
Not configured

6. If you select Manually enter drives and labels, an extra box shows. You need to
enter the drive letter for each fixed, removable, and network drive you want to
 redirect, with each drive letter followed by a semicolon. For Azure Virtual Desktop,
the characters \ , : , and ; must be escaped using a backslash character. For
example, to redirect drives C:\ and D:\ from the local device, enter
C\:\\\;D\:\\\; .

7. Select Save.

8. To test the configuration, make sure the drives you configured to redirect are
connected to the local device, then connect to a remote session. Verify that drives
you redirected are available in File Explorer or Disk Management in the remote
session. If you selected Redirect all disk drives, including ones that are connected
later or Dynamic drives: redirect any drives that are connected later, you can
connect more drives to the local device after you connect to the remote session
and verify they're redirected too.

Configure drive redirection using Microsoft Intune or

Group Policy
Select the relevant tab for your scenario.

Microsoft Intune

To enable or disable drive redirection using Microsoft Intune:

1. Sign in to the Microsoft Intune admin center .

2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.

3. In the settings picker, browse to Administrative templates > Windows

Components > Remote Desktop Services > Remote Desktop Session Host >
Device and Resource Redirection.
 

4. Check the box for Do not allow drive redirection, then close the settings
picker.

5. Expand the Administrative templates category, then toggle the switch for Do
not allow drive redirection to Enabled or Disabled, depending on your
requirements:

To allow drive redirection, toggle the switch to Disabled.

To disable drive redirection, toggle the switch to Enabled.

6. Select Next.

7. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.

8. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.

9. On the Review + create tab, review the settings, then select Create.
 10. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.

） Important

Network drives that are disconnected aren't redirected. Once the network
drives are reconnected, they're not automatically redirected during the
remote session. You need to disconnect and reconnect to the remote session
to redirect the network drives.

If you disable drive redirection using Intune or Group Policy, it also prevents
files being transferred between the local device and remote session using the
clipboard. Other content, such as text or images, isn't affected.

Test drive redirection

To test drive redirection:

1. Connect to a remote session using Window App or the Remote Desktop app on a
platform that supports drive redirection. For more information, see Compare
Windows App features across platforms and devices and Compare Remote
Desktop app features across platforms and devices.

2. Check the redirected drives available in the remote session. Here are some ways to
check:

a. Open File explorer in the remote session from the start menu. Select This PC,
then check the redirected drives appear in the list. When you redirect drives
from a local Windows device, it looks similar to the following image:
 

b. Open a PowerShell prompt in the remote session and run the following
command:

PowerShell

$CLSIDs = @()
foreach($registryKey in (Get-ChildItem
"Registry::HKEY_CLASSES_ROOT\CLSID" -Recurse)){
If (($registryKey.GetValueNames() | %
{$registryKey.GetValue($_)}) -eq "Drive or folder redirected using
Remote Desktop") {
$CLSIDs += $registryKey
}
}

$drives = @()
foreach ($CLSID in $CLSIDs.PSPath) {
$drives += (Get-ItemProperty $CLSID)."(default)"
}

Write-Output "These are the local drives redirected to the remote

session:`n"
$drives

The output is similar to the following example when you redirect drives from a
local Windows device:

Output

These are the local drives redirected to the remote session:

 C on DESKTOP
S on DESKTOP

Optional: Disable drive redirection on a local device

You can disable drive redirection on a local device to prevent the drives from being
redirected between a remote session. This method is useful if you want to enable drive
redirection for most users, but disable it for specific devices.

On a local Windows device, you can disable drive redirection by configuring the
following registry key and value:

Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Terminal Server Client

Type: REG_DWORD
Value name: DisableDriveRedirection
Value data: 1

For iOS/iPadOS and Android devices, you can disable drive redirection using Intune. For
more information, see Configure client device redirection settings for Windows App and
the Remote Desktop app using Microsoft Intune.

Related content
Redirection over the Remote Desktop Protocol.
Supported RDP properties.
Compare Windows App features across platforms and devices.
Compare Remote Desktop app features across platforms and devices.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Configure location redirection over the
Remote Desktop Protocol
Article • 08/09/2024

 Tip

This article is shared for services and products that use the Remote Desktop
Protocol (RDP) to provide remote access to Windows desktops and apps.

Select a product using the buttons at the top of this article to show the relevant
content.

You can configure the redirection behavior of location information from a local device to
a remote session over the Remote Desktop Protocol (RDP). A user's location can be
important for some applications, such as mapping and regional services in browsers.
Without redirecting location information, the location of a remote session is near the
datacenter the user connects to for the remote session.

For Azure Virtual Desktop, location redirection must be configured at the following
points. If any of these components aren't configured correctly, location redirection won't
work as expected. You can use Microsoft Intune or Group Policy to configure your
session hosts and the local device.

Session host
Host pool RDP property
Local device

） Important

Redirected longitude and latitude information is accurate to 1 meter. Horizontal

accuracy is currently set at 10 kilometers, so applications that use the horizontal
accuracy value might report that a precise location can't be determined.

This article provides information about the supported redirection methods and how to
configure the redirection behavior for location information. To learn more about how
redirection works, see Redirection over the Remote Desktop Protocol.

Prerequisites
Before you can configure location redirection, you need:

An existing host pool with session hosts running Windows 11 Enterprise or

Windows 11 Enterprise multi-session version 22H2 or later.

A Microsoft Entra ID account that is assigned the Desktop Virtualization Host Pool
Contributor built-in role-based access control (RBAC) roles on the host pool as a
minimum.

To configure Microsoft Intune, you need:

Microsoft Entra ID account that is assigned the Policy and Profile manager built-
in RBAC role.
A group containing the devices you want to configure.

To configure Group Policy, you need:

A domain account that has permission to create or edit Group Policy objects.
A security group or organizational unit (OU) containing the devices you want to
configure.

You need to connect to a remote session from a supported app and platform. To
view redirection support in Windows App and the Remote Desktop app, see
Compare Windows App features across platforms and devices and Compare
Remote Desktop app features across platforms and devices.

Session host configuration

To configure a session host for location redirection, you need to enable and configure
location services. You can do this using Microsoft Intune or Group Policy.

） Important

If you use a multi-session edition of Windows, when you enable location services
on a session host, it's enabled for all users. You can specify which apps can access
location information on a per-user basis based on your requirements.

Select the relevant tab for your scenario.

Microsoft Intune

To enable location services using Microsoft Intune:

1. Sign in to the Microsoft Intune admin center .

2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.

3. In the settings picker, select System. Check the box for Allow Location, then
close the settings picker.

4. Expand the System category, then from the drop-down menu select Force
Location On. All Location Privacy settings are toggled on and grayed out.
Users cannot change the settings and all consent permissions will be
automatically suppressed.

5. Select Next.

6. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.

7. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.

8. On the Review + create tab, review the settings, then select Create.

9. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.
10. You need to enable the location setting Allow location override for the
location to be updated in the remote session, which you can do by
configuring a registry value and is set per user. Users can still change this
setting in Windows location settings.

You can do this by creating a PowerShell script and using it as a custom script
remediation in Intune. When you create the custom script remediation, you
must set Run this script using the logged-on credentials to Yes.

PowerShell

try
{
New-ItemProperty -Path
"HKCU:\Software\Microsoft\Windows\CurrentVersion\CPSS\Store\UserLoc
ationOverridePrivacySetting" -Name Value -PropertyType DWORD -Value
1 -Force
exit 0
}
catch{
$errMsg = $_.Exception.Message
Write-Error $errMsg
exit 1
}

11. Once you have made the changes, location services in the Windows Settings
app should look similar to the following image:


Host pool configuration
The Azure Virtual Desktop host pool setting Location service redirection controls whether
to redirect location information from the local device to the remote session. The
corresponding RDP property is redirectlocation:i:<value> . For more information, see
Supported RDP properties.

To configure location redirection using host pool RDP properties:

1. Sign in to the Azure portal .

2. In the search bar, type Azure Virtual Desktop and select the matching service entry.

3. Select Host pools, then select the host pool you want to configure.

4. Select RDP Properties, then select Device redirection.

5. For Location service redirection, select the drop-down list, then select Enable
location sharing from the local device and redirection to apps in the remote
session.
 6. Select Save.

Local device configuration

You need to use a supported app and platform connect to a remote session and enable
location services on a local device. How you achieve this depends on your requirements,
the platform you're using, and whether the device is managed or unmanaged.

To view redirection support in Windows App and the Remote Desktop app, see Compare
Windows App features across platforms and devices and Compare Remote Desktop app
features across platforms and devices.

On Windows, you can enable location services in the Windows Settings app. For more
information, see Windows location service and privacy . The steps in this article to
enable location services in a remote session using Intune and Group Policy can also be
applied to local Windows devices.

To enable location services on other platforms, refer to the relevent manufacturer's

documentation.

Test location redirection

Once you configure your session hosts, host pool RDP property, and local devices, you
can test location redirection.

To test location redirection:

1. Connect to a remote session using Window App or the Remote Desktop app on a
platform that supports location redirection. For more information, see Compare
Windows App features across platforms and devices and Compare Remote
Desktop app features across platforms and devices.

2. Check the user's location information is available in the remote session. Here are
some ways to check:

a. Open a web browser and go to a website that uses location information, such as
Bing Maps . In Bing Maps, select the icon for the button Locate me. The
website should show the user's location as the location of the local device.

b. Open a PowerShell prompt in the remote session and run the following
commands to get the latitude and longitude values. You can also run these
commands on a local Windows device to check they are consistent.
 PowerShell

Add-Type -AssemblyName System.Device

$GeoCoordinateWatcher = New-Object
System.Device.Location.GeoCoordinateWatcher
$GeoCoordinateWatcher.Start()

Start-Sleep -Milliseconds 500

If ($GeoCoordinateWatcher.Permission -eq "Granted") {

While ($GeoCoordinateWatcher.Status -ne "Ready") {
Start-Sleep -Milliseconds 500
}
$GeoCoordinateWatcher.Position.Location | FL Latitude, Longitude
} else {
Write-Output "Desktop apps aren't allowed to access your
location. Please enable access."
}

The output is similar to the following example:

Output

Latitude : 47.64354
Longitude : -122.13082

Related content
Redirection over the Remote Desktop Protocol.
Supported RDP properties.
Compare Windows App features across platforms and devices.
Compare Remote Desktop app features across platforms and devices.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Configure Media Transfer Protocol and
Picture Transfer Protocol redirection on
Windows over the Remote Desktop
Protocol
Article • 08/09/2024

 Tip

This article is shared for services and products that use the Remote Desktop
Protocol (RDP) to provide remote access to Windows desktops and apps.

Select a product using the buttons at the top of this article to show the relevant
content.

You can configure the redirection behavior of peripherals that use the Media Transfer
Protocol (MTP) or Picture Transfer Protocol (PTP), such as a digital camera, from a local
device to a remote session over the Remote Desktop Protocol (RDP).

For Azure Virtual Desktop, we recommend you enable MTP and PTP redirection on your
session hosts using Microsoft Intune or Group Policy, then control redirection using the
host pool RDP properties.

This article provides information about the supported redirection methods and how to
configure the redirection behavior for MTP and PTP peripherals. To learn more about
how redirection works, see Redirection over the Remote Desktop Protocol.

MTP and PTP redirection vs USB redirection

Most MTP and PTP peripherals connect to a computer over USB. RDP supports
redirecting MTP and PTP peripherals using native MTP and PTP redirection or opaque
low-levelUSB device redirection, independent of each other. Behavior depends on the
peripheral and its supported features.

Both redirection methods redirect the device to the remote session listed under
Portable Devices in Device Manager. This device class is WPD and the device class GUID
is {eec5ad98-8080-425f-922a-dabf3de3f69a} . You can find a list of the device classes at
System-Defined Device Setup Classes Available to Vendors
Devices are redirected differently depending on the redirection method used. MTP and
PTP redirection uses high-level redirection; the peripheral is available locally and in the
remote session concurrently, and requires the relevant driver installed locally. Opaque
low-level USB redirection transports the raw communication of a peripheral, so requires
the relevant driver installed in the remote session. You should use high-level redirection
methods where possible. For more information, see Redirection methods.

The following example shows the difference when redirecting an Apple iPhone using the
two methods. Both methods achieve the same result where pictures can be imported
from the iPhone to the remote session.

Using MTP and PTP redirection, the iPhone is listed as Digital Still Camera to
applications and under Portable Devices in Device Manager:

Using USB redirection, the iPhone is listed as Apple iPhone to applications and
under Portable Devices in Device Manager:
 

The rest of this article covers MTP and PTP redirection. To learn how to configure USB
redirection, see Configure USB redirection on Windows over the Remote Desktop
Protocol.

Prerequisites
Before you can configure MTP and PTP redirection, you need:

An existing host pool with session hosts.

A Microsoft Entra ID account that is assigned the Desktop Virtualization Host Pool
Contributor built-in role-based access control (RBAC) roles on the host pool as a
minimum.

A device that supports MTP or PTP you can use to test the redirection
configuration connected to a local device.

To configure Microsoft Intune, you need:

Microsoft Entra ID account that is assigned the Policy and Profile manager built-
in RBAC role.
A group containing the devices you want to configure.

To configure Group Policy, you need:

A domain account that has permission to create or edit Group Policy objects.
A security group or organizational unit (OU) containing the devices you want to
configure.
 You need to connect to a remote session from a supported app and platform. To
view redirection support in Windows App and the Remote Desktop app, see
Compare Windows App features across platforms and devices and Compare
Remote Desktop app features across platforms and devices.

MTP and PTP redirection

Configuration of a session host using Microsoft Intune or Group Policy, or setting an
RDP property on a host pool governs the ability to redirect MTP and PTP peripherals
between the remote session and the local device, which is subject to a priority order.

The default configuration is:

Windows operating system: MTP and PTP redirection isn't allowed.

Azure Virtual Desktop host pool RDP properties: MTP and PTP devices are
redirected from the local device to the remote session.
Resultant default behavior: MTP and PTP peripherals aren't redirected.

） Important

Take care when configuring redirection settings as the most restrictive setting is the
resultant behavior. For example, if you disable MTP and PTP redirection on a
session host with Microsoft Intune or Group Policy, but enable it with the host pool
RDP property, redirection is disabled. You can also specify individual MTP and PTP
peripherals to redirect only.

Configure MTP and PTP redirection using host pool RDP

properties
The Azure Virtual Desktop host pool setting MTP and PTP device redirection controls
whether to redirect MTP and PTP peripherals between the remote session and the local
device. The corresponding RDP property is devicestoredirect:s:<value> . For more
information, see Supported RDP properties.

To configure MTP and PTP redirection using host pool RDP properties:

1. Sign in to the Azure portal .

2. In the search bar, type Azure Virtual Desktop and select the matching service entry.

3. Select Host pools, then select the host pool you want to configure.
 4. Select RDP Properties, then select Device redirection.

5. For MTP and PTP device redirection, select the drop-down list, then select one of
the following options:

Don't redirect any devices

Redirect portable media players based on the Media Transfer Protocol
(MTP) and digital cameras based on the Picture Transfer Protocol (PTP)
(default)
Not configured

6. Select Save.

 Tip

If you enable redirection using host pool RDP properties, you need the check that
redirection isn't blocked by a Microsoft Intune or Group Policy setting.

Optional: Retrieve specific MTP and PTP device instance

IDs and add them to the RDP property
By default, the host pool RDP property will redirect all supported MTP and PTP
peripherals, but you can also enter specific device instance IDs in the host pool
properties so that only the peripherals you approve are redirected. To retrieve the device
instance IDs available of the USB devices on a local device you want to redirect:

1. On the local device, connect any devices you want to redirect.

2. Open a PowerShell prompt and run the following command:

PowerShell

Get-PnPdevice | Where-Object {$_.Class -eq "WPD" -and $_.Status -eq

"OK"} | FT -AutoSize

The output is similar to the following example. Make a note of the InstanceId value
for each device you want to redirect.

Output

Status Class FriendlyName InstanceId

------ ----- ------------ ----------
OK WPD Apple iPhone USB\VID_05AC&PID_12A8&MI_00\B&1A733E8B&0&0000

3. In the Azure portal, return to the host pool RDP properties configuration, and
select Advanced.

4. In the text box, find the relevant RDP property, which by default is
devicestoredirect:s:* , then add the instance IDs you want to redirect, as shown

in the following example. Separate each device instance ID with a semi-colon ( ; ).

uri

devicestoredirect:s:USB\VID_05AC&PID_12A8&MI_00\B&1A733E8B&0&0000

5. Select Save.

 Tip

The following behavior is expected when you specify an instance ID:

If you refresh the Azure portal, the value you entered changes to lowercase
and each backslash character in the instance ID is escaped by another
backslash character.
 When you navigate to the Device redirection tab, the value for MTP and PTP
device redirection is blank.

Configure MTP and PTP redirection using Microsoft

Intune or Group Policy
Select the relevant tab for your scenario.

Microsoft Intune

To allow or disable MTP and PTP redirection using Microsoft Intune:

1. Sign in to the Microsoft Intune admin center .

2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.

3. In the settings picker, browse to Administrative templates > Windows

Components > Remote Desktop Services > Remote Desktop Session Host >
Device and Resource Redirection.


 4. Check the box for Do not allow supported Plug and Play device redirection,
then close the settings picker.

5. Expand the Administrative templates category, then set toggle the switch for
Do not allow supported Plug and Play device redirection, depending on your
requirements:

To allow MTP and PTP redirection, toggle the switch to Disabled.

To disable MTP and PTP redirection, toggle the switch to Enabled.

6. Select Next.

7. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.

8. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.

9. On the Review + create tab, review the settings, then select Create.

10. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.

７ Note

When you configure the Intune policy setting Do not allow supported Plug
and Play device redirection, it also affects USB redirection.

Test MTP and PTP redirection

To test MTP and PTP redirection:

1. Make sure a device that supports MTP or PTP is connected to the local device.

2. Connect to a remote session using Window App or the Remote Desktop app on a
platform that supports MTP and PTP redirection. For more information, see
Compare Windows App features across platforms and devices and Compare
Remote Desktop app features across platforms and devices.

3. Check the MTP or PTP device is available in the remote session. Here are some
ways to check:
a. Open the Photos app (from Microsoft) in the remote session from the start
menu. Select Import and check the redirected device appears in the list of
connected devices.

b. Open a PowerShell prompt in the remote session and run the following
command:

PowerShell

Get-PnPdevice | ? Class -eq "WPD" | FT -AutoSize

The output is similar to the following example:

Output

Status Class FriendlyName InstanceId

------ ----- ------------ ----------
OK WPD Digital Still Camera
TSBUS\UMB\2&FD4482C&0&TSDEVICE#0002.0003

You can verify whether the device is redirected using MTP and PTP redirection
or USB redirection by the InstanceId value:

For MTP and PTP redirection, the InstanceId value begins with TSBUS .

For USB redirection, the InstanceId value begins USB .

 4. Open an application and print a test page to verify the printer is functioning
correctly.

Related content
Redirection over the Remote Desktop Protocol.
Supported RDP properties.
Compare Windows App features across platforms and devices.
Compare Remote Desktop app features across platforms and devices.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Configure printer redirection over the
Remote Desktop Protocol
Article • 08/09/2024

 Tip

This article is shared for services and products that use the Remote Desktop
Protocol (RDP) to provide remote access to Windows desktops and apps.

Select a product using the buttons at the top of this article to show the relevant
content.

You can configure the redirection behavior of printers from a local device to a remote
session over the Remote Desktop Protocol (RDP). Printer redirection supports locally
attached and network printers. When you enable printer redirection, all printers
available on the local device are redirected; you can't select specific printers to redirect.
The default printer on the local device is automatically set as the default printer in the
remote session.

Printer redirection uses high-level redirection and doesn't require drivers to be installed
on session hosts. The Remote Desktop Easy Print driver is used automatically on session
hosts. The driver for the printer must be installed on the local device for redirection to
work correctly.

For Azure Virtual Desktop, we recommend you enable printer redirection on your
session hosts using Microsoft Intune or Group Policy, then control redirection using the
host pool RDP properties.

This article provides information about the supported redirection methods and how to
configure the redirection behavior for printers. To learn more about how redirection
works, see Redirection over the Remote Desktop Protocol.

 Tip

Universal Print is an alternative solution to redirecting printers from a local device

to a remote session. For more information, see Discover Universal Print and to
learn about using it with Azure Virtual Desktop, see Printing on Azure Virtual
Desktop using Universal Print.
Prerequisites
Before you can configure printer redirection, you need:

An existing host pool with session hosts.

A Microsoft Entra ID account that is assigned the Desktop Virtualization Host Pool
Contributor built-in role-based access control (RBAC) roles on the host pool as a
minimum.

A printer available on the local device. You need to make sure local device has the
printer driver is installed correctly. No driver is needed in the remote session as
redirected printers use the Remote Desktop Easy Print driver.

To configure Microsoft Intune, you need:

Microsoft Entra ID account that is assigned the Policy and Profile manager built-
in RBAC role.
A group containing the devices you want to configure.

To configure Group Policy, you need:

A domain account that has permission to create or edit Group Policy objects.
A security group or organizational unit (OU) containing the devices you want to
configure.

You need to connect to a remote session from a supported app and platform. To
view redirection support in Windows App and the Remote Desktop app, see
Compare Windows App features across platforms and devices and Compare
Remote Desktop app features across platforms and devices.

Printer redirection
Configuration of a session host using Microsoft Intune or Group Policy, or setting an
RDP property on a host pool governs the ability to redirect printers from a local device
to a remote session, which is subject to a priority order.

The default configuration is:

Windows operating system: Printer redirection isn't blocked.

Azure Virtual Desktop host pool RDP properties: All printers are redirected from
the local device to a remote session and the default printer on the local device is
the default printer in the remote session.
Resultant default behavior: All printers are redirected from the local device to a
remote session and the default printer on the local device is the default printer in
 the remote session.

） Important

Take care when configuring redirection settings as the most restrictive setting is the
resultant behavior. For example, if you disable printer redirection on a session host
with Microsoft Intune or Group Policy, but enable it with the host pool RDP
property, redirection is disabled.

Configure printer redirection using host pool RDP

properties
The Azure Virtual Desktop host pool setting printer redirection controls whether to
redirect printers from a local device to a remote session. The corresponding RDP
property is redirectprinters:i:<value> . For more information, see Supported RDP
properties.

To configure printer redirection using host pool RDP properties:

1. Sign in to the Azure portal .

2. In the search bar, type Azure Virtual Desktop and select the matching service entry.

3. Select Host pools, then select the host pool you want to configure.

4. Select RDP Properties, then select Device redirection.

 

5. For Printer redirection, select the drop-down list, then select one of the following
options:

The printers on the local computer are not available in remote session
The printers on the local computer are available in remote session (default)
Not configured

6. Select Save.

Configure printer redirection using Microsoft Intune or

Group Policy
Select the relevant tab for your scenario.

Microsoft Intune

To allow or disable printer redirection using Microsoft Intune:

1. Sign in to the Microsoft Intune admin center .

2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.
 3. In the settings picker, browse to Administrative templates > Windows
Components > Remote Desktop Services > Remote Desktop Session Host >
Printer Redirection.

4. Check the box for Do not allow client printer redirection, then close the
settings picker.

5. Expand the Administrative templates category, then toggle the switch for Do
not allow client printer redirection to Enabled or Disabled, depending on
your requirements:

To allow printer redirection, toggle the switch to Disabled.

To disable printer redirection, toggle the switch to Enabled.

6. Select Next.

7. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.

8. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.

9. On the Review + create tab, review the settings, then select Create.

10. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.
Test printer redirection
Printer redirection uses high-level redirection; the printer is available locally and in the
remote session concurrently, and requires the relevant driver installed locally. The driver
for the printer doesn't need to be installed in the remote session as redirected printers
use the Remote Desktop Easy Print driver.

To test printer redirection:

1. Make sure a printer is available on the local device that's functioning.

2. Connect to a remote session using Window App or the Remote Desktop app on a
platform that supports printer redirection. For more information, see Compare
Windows App features across platforms and devices and Compare Remote
Desktop app features across platforms and devices.

3. Check the printers available in the remote session. Here are some ways to check:

a. Open Printers & scanners in the remote session from the start menu. Check the
redirected printers appear in the list of printers. Redirected printers are
identified where the name of the printer is appended with (redirected n), where
n is the user's session ID. The session ID is appended to make sure redirected
printers are unique to the user's session.

b. Open a PowerShell prompt in the remote session and run the following
command:

PowerShell
 Get-Printer | ? DriverName -eq "Remote Desktop Easy Print" | Sort-
Object | FT -AutoSize

The output is similar to the following example:

Output

Name ComputerName Type

DriverName PortName Shared Published DeviceType
---- ------------ ---- ----
------ -------- ------ --------- ----------
HP Color LaserJet MFP M281fdw (redirected 2) Local
Remote Desktop Easy Print TS001 False False Print
Microsoft Print to PDF (redirected 2) Local
Remote Desktop Easy Print TS002 False False Print
OneNote (Desktop) (redirected 2) Local
Remote Desktop Easy Print TS003 False False Print

4. Open an application and print a test page to verify the printer is functioning
correctly.

Optional: Disable printer redirection on a local Windows

device
You can disable printer redirection on a local Windows device to prevent printers from
being redirected to a remote session. This method is useful if you want to enable printer
redirection for most users, but disable it for specific Windows devices.

1. As an Administrator on a local Windows device, open the Registry Editor app from
the start menu, or run regedit.exe from the command line.

2. Configure the following registry key and value. You don't need to restart the local
device for the settings to take effect.

Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Terminal Server Client

Type: REG_DWORD
Value name: DisablePrinterRedirection
Value data: 1

Related content
Redirection over the Remote Desktop Protocol.
Supported RDP properties.
 Compare Windows App features across platforms and devices.
Compare Remote Desktop app features across platforms and devices.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Configure serial or COM port redirection
over the Remote Desktop Protocol
Article • 08/09/2024

 Tip

This article is shared for services and products that use the Remote Desktop
Protocol (RDP) to provide remote access to Windows desktops and apps.

Select a product using the buttons at the top of this article to show the relevant
content.

You can configure the redirection behavior of serial or COM ports between a local
device and a remote session over the Remote Desktop Protocol (RDP).

For Azure Virtual Desktop, we recommend you enable serial or COM port redirection on
your session hosts using Microsoft Intune or Group Policy, then control redirection using
the host pool RDP properties.

This article provides information about the supported redirection methods and how to
configure the redirection behavior serial or COM ports. To learn more about how
redirection works, see Redirection over the Remote Desktop Protocol.

Prerequisites
Before you can configure serial or COM port redirection, you need:

An existing host pool with session hosts.

A Microsoft Entra ID account that is assigned the Desktop Virtualization Host Pool
Contributor built-in role-based access control (RBAC) roles on the host pool as a
minimum.

A serial or COM port on a local device and a peripheral that connects to the port.
Serial or COM port redirection uses opaque low-level redirection, so drivers need
to be installed in the remote session for the peripheral to function correctly.

To configure Microsoft Intune, you need:

Microsoft Entra ID account that is assigned the Policy and Profile manager built-
in RBAC role.
A group containing the devices you want to configure.
 To configure Group Policy, you need:
A domain account that has permission to create or edit Group Policy objects.
A security group or organizational unit (OU) containing the devices you want to
configure.

You need to connect to a remote session from a supported app and platform. To
view redirection support in Windows App and the Remote Desktop app, see
Compare Windows App features across platforms and devices and Compare
Remote Desktop app features across platforms and devices.

Serial or COM port redirection

Configuration of a session host using Microsoft Intune or Group Policy, or setting an
RDP property on a host pool governs the ability to redirect serial or COM ports from the
local device to the remote session, which is subject to a priority order.

The default configuration is:

Windows operating system: Serial or COM port redirection isn't blocked.

Azure Virtual Desktop host pool RDP properties: Serial or COM ports are
redirected from the local device to the remote session.
Resultant default behavior: Serial or COM ports are redirected from the local
device to the remote session.

） Important

Take care when configuring redirection settings as the most restrictive setting is the
resultant behavior. For example, if you disable serial or COM port redirection on a
session host with Microsoft Intune or Group Policy, but enable it with the host pool
RDP property, redirection is disabled.

Configure serial or COM port redirection using host pool

RDP properties
The Azure Virtual Desktop host pool setting COM ports redirection controls whether to
redirect the serial or COM ports between the remote session and the local device. The
corresponding RDP property is redirectcomports:i:<value> . For more information, see
Supported RDP properties.

To configure serial or COM port redirection using host pool RDP properties:
 1. Sign in to the Azure portal .

2. In the search bar, type Azure Virtual Desktop and select the matching service entry.

3. Select Host pools, then select the host pool you want to configure.

4. Select RDP Properties, then select Device redirection.

5. For COM ports redirection, select the drop-down list, then select one of the
following options:

COM ports on the local computer are not available in the remote session
COM ports on the local computer are available in the remote session
(default)
Not configured

6. Select Save.

Configure serial or COM port redirection using Microsoft

Intune or Group Policy
Select the relevant tab for your scenario.
Microsoft Intune

To allow or disable serial or COM port redirection using Microsoft Intune:

1. Sign in to the Microsoft Intune admin center .

2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.

3. In the settings picker, browse to Administrative templates > Windows

Components > Remote Desktop Services > Remote Desktop Session Host >
Device and Resource Redirection.

4. Check the box for Do not allow COM port redirection, then close the settings
picker.

5. Expand the Administrative templates category, then toggle the switch for Do
not allow COM port redirection to Enabled or Disabled, depending on your
requirements:

To allow serial or COM port redirection, toggle the switch to Disabled.

To disable serial or COM port redirection, toggle the switch to Enabled.

 6. Select Next.

7. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.

8. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.

9. On the Review + create tab, review the settings, then select Create.

10. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.

Test serial or COM port redirection

When using serial or COM port redirection, consider the following behavior:

Drivers for redirected peripherals connected to a serial or COM port need to be

installed in the remote session using the same process as the local device. Ensure
that Windows Update is enabled in the remote session, or that drivers are available
for the peripheral.

Opaque low-level redirection is designed for LAN connections; with higher latency,
some peripherals connected to a serial or COM port might not function properly,
or the user experience might not suitable.

Peripherals connected to a serial or COM port aren't available on the local device
locally while it's redirected to the remote session.

Peripherals connected to a serial or COM port can only be used in one remote
session at a time.

Serial or COM port redirection is only available from a local Windows device.

To test serial or COM port redirection from a local Windows device:

1. Plug in the supported peripherals you want to use in a remote session to a serial or
COM port.

2. Connect to a remote session using Window App or the Remote Desktop app on a
platform that supports drive redirection. For more information, see Compare
 Windows App features across platforms and devices and Compare Remote
Desktop app features across platforms and devices.

3. Check the device is functioning correctly in the remote session. As serial or COM
ports are redirected using opaque low-level redirection, the correct driver needs to
be installed in the remote session, which you need to do if it's not installed
automatically.

Here are some ways to check the USB peripherals are available in the remote
session, depending on the permission you have in the remote session:

a. Open Device Manager in the remote session from the start menu, or run
devmgmt.msc from the command line. Check the redirected peripherals appear in

the expected device category and don't show any errors.

b. Open a Command Prompt or PowerShell prompt on both the local device and
in the remote session, then run the following command in both locations. This
command shows the serial or COM ports available locally and enable you to
verify that they're available in the remote session.

Windows Command Prompt

chgport

The output is similar to the following example:

 On the local device:

Output

COM3 = \Device\Serial0
COM4 = \Device\Serial1

In the remote session:

Output

COM3 = \Device\RdpDrPort\;COM3:2\tsclient\COM3
COM4 = \Device\RdpDrPort\;COM4:2\tsclient\COM4

4. Once the peripherals are redirected and functioning correctly, you can use them as
you would on a local device.

Related content
Redirection over the Remote Desktop Protocol.
Supported RDP properties.
Compare Windows App features across platforms and devices.
Compare Remote Desktop app features across platforms and devices.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Configure smart card redirection over
the Remote Desktop Protocol
Article • 08/09/2024

 Tip

This article is shared for services and products that use the Remote Desktop
Protocol (RDP) to provide remote access to Windows desktops and apps.

Select a product using the buttons at the top of this article to show the relevant
content.

You can configure the redirection behavior of smart card devices from a local device to a
remote session over the Remote Desktop Protocol (RDP).

For Azure Virtual Desktop, we recommend you enable smart card redirection on your
session hosts using Microsoft Intune or Group Policy, then control redirection using the
host pool RDP properties.

This article provides information about the supported redirection methods and how to
configure the redirection behavior for smart card devices. To learn more about how
redirection works, see Redirection over the Remote Desktop Protocol.

Prerequisites
Before you can configure smart card redirection, you need:

An existing host pool with session hosts.

A Microsoft Entra ID account that is assigned the Desktop Virtualization Host Pool
Contributor built-in role-based access control (RBAC) roles on the host pool as a
minimum.

A smart card device available on your local device.

To configure Microsoft Intune, you need:

Microsoft Entra ID account that is assigned the Policy and Profile manager built-
in RBAC role.
A group containing the devices you want to configure.

To configure Group Policy, you need:

 A domain account that has permission to create or edit Group Policy objects.
A security group or organizational unit (OU) containing the devices you want to
configure.

You need to connect to a remote session from a supported app and platform. To
view redirection support in Windows App and the Remote Desktop app, see
Compare Windows App features across platforms and devices and Compare
Remote Desktop app features across platforms and devices.

Smart card redirection

Configuration of a session host using Microsoft Intune or Group Policy, or setting an
RDP property on a host pool governs the ability to redirect smart card devices from a
local device to a remote session, which is subject to a priority order.

The default configuration is:

Windows operating system: Smart card redirection isn't blocked.

Azure Virtual Desktop host pool RDP properties: Smart card devices are
redirected from the local device to the remote session.
Resultant default behavior: Smart card devices are redirected from the local
device to the remote session.

） Important

Take care when configuring redirection settings as the most restrictive setting is the
resultant behavior. For example, if you disable smart card redirection on a session
host with Microsoft Intune or Group Policy, but enable it with the host pool RDP
property, redirection is disabled.

Configure smart card device redirection using host pool

RDP properties
The Azure Virtual Desktop host pool setting smart card redirection controls whether to
redirect smart card from a local device to a remote session. The corresponding RDP
property is redirectsmartcards:i:<value> . For more information, see Supported RDP
properties.

To configure smart card redirection using host pool RDP properties:

1. Sign in to the Azure portal .

2. In the search bar, type Azure Virtual Desktop and select the matching service entry.

3. Select Host pools, then select the host pool you want to configure.

4. Select RDP Properties, then select Device redirection.

5. For Smart card redirection, select the drop-down list, then select one of the
following options:

The smart card device on the local computer is not available in remote
session
The smart card device on the local computer is available in remote session
(default)
Not configured

6. Select Save.

7. To test the configuration, connect to a remote session, then use an application or

website that requires your smart card. Verify that the smart card is available and
works as expected.
Configure smart card device redirection using Microsoft
Intune or Group Policy
Select the relevant tab for your scenario.

Microsoft Intune

To allow or disable smart card device redirection using Microsoft Intune:

1. Sign in to the Microsoft Intune admin center .

2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.

3. In the settings picker, browse to Administrative templates > Windows

Components > Remote Desktop Services > Remote Desktop Session Host >
Device and Resource Redirection.

4. Check the box for Do not allow smart card device redirection, then close the
settings picker.
 5. Expand the Administrative templates category, then toggle the switch for Do
not allow smart card device redirection, depending on your requirements:

To allow smart card device redirection, toggle the switch to Disabled.

To disable smart card device redirection, toggle the switch to Enabled.

6. Select Next.

7. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.

8. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.

9. On the Review + create tab, review the settings, then select Create.

10. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.

Test smart card redirection

To test smart card redirection:

1. Connect to a remote session using Window App or the Remote Desktop app on a
platform that supports smart card redirection. For more information, see Compare
Windows App features across platforms and devices and Compare Remote
Desktop app features across platforms and devices.

2. Check your smart cards are available in the remote session. Run the following
command in the remote session in Command Prompt or from a PowerShell
prompt.

Windows Command Prompt

certutil -scinfo

If smart card redirection is working, the output starts similar to the following
output:

Output
 The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 2
0: Windows Hello for Business 1
1: Yubico YubiKey OTP+FIDO+CCID 0
--- Reader: Windows Hello for Business 1
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE
--- Status: The card is being shared by a process.
--- Card: Identity Device (Microsoft Generic Profile)
--- ATR:
aa bb cc dd ee ff 00 11 22 33 44 55 66 77 88 99
;.........AB12..
ab .

--- Reader: Yubico YubiKey OTP+FIDO+CCID 0

--- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
--- Status: The card is available for use.
--- Card: Identity Device (NIST SP 800-73 [PIV])
--- ATR:
aa bb cc dd ee ff 00 11 22 33 44 55 66 77 88 99
;.........34yz..
ab .

[continued...]

3. Open and use an application or website that requires your smart card. Verify that
the smart card is available and works as expected.

Related content
Redirection over the Remote Desktop Protocol.
Supported RDP properties.
Compare Windows App features across platforms and devices.
Compare Remote Desktop app features across platforms and devices.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Configure USB redirection on Windows
over the Remote Desktop Protocol
Article • 08/09/2024

 Tip

This article is shared for services and products that use the Remote Desktop
Protocol (RDP) to provide remote access to Windows desktops and apps.

Select a product using the buttons at the top of this article to show the relevant
content.

You can configure the redirection of certain USB peripherals between a local Windows
device and a remote session over the Remote Desktop Protocol (RDP).

） Important

This article covers USB devices that use opaque low-level redirection only. USB
devices that use high-level redirection are covered by the article for the specific
device type. You should use high-level redirection methods where possible.

For a list of which device type uses which redirection method, see Supported
resources and peripherals. Peripherals redirected using opaque low-level
redirection require drivers installed in the remote session.

For Azure Virtual Desktop, USB redirection must be configured at the following points. If
any of these components aren't configured correctly, USB redirection won't work as
expected. You can use Microsoft Intune or Group Policy to configure your session hosts
and the local device.

Session host
Host pool RDP property
Local device

By default, the host pool RDP property will redirect all supported USB peripherals, but
you can also specify individual USB peripherals to redirect or exclude from redirection,
and redirect an entire device setup class, such as multimedia peripherals. Take care when
configuring redirection settings as the most restrictive setting is the resultant behavior.
Some USB peripherals might have functions that use opaque low-level USB redirection
or high-level redirection. By default, these peripherals are redirected using high-level
redirection. You can force these peripherals to use opaque low-level USB redirection
also by following the steps in this article.

 Tip

If you use the following features in a remote session, they have their own
optimizations that are independent from the redirection configuration on the
session host, host pool RDP properties, or local device.

Microsoft Teams for camera, microphone, and audio redirection.

Multimedia redirection for audio, video and call redirection.

Prerequisites
Before you can configure USB redirection using opaque low-level redirection, you need:

An existing host pool with session hosts.

A Microsoft Entra ID account that is assigned the Desktop Virtualization Host Pool
Contributor built-in role-based access control (RBAC) roles on the host pool as a
minimum.

A USB device you can use to test the redirection configuration.

To configure Microsoft Intune, you need:

Microsoft Entra ID account that is assigned the Policy and Profile manager built-
in RBAC role.
A group containing the devices you want to configure.

To configure Group Policy, you need:

A domain account that has permission to create or edit Group Policy objects.
A security group or organizational unit (OU) containing the devices you want to
configure.

You need to connect to a remote session from a supported app and platform. To
view redirection support in Windows App and the Remote Desktop app, see
Compare Windows App features across platforms and devices and Compare
Remote Desktop app features across platforms and devices.
Session host configuration
To configure a session host for USB redirection using opaque low-level redirection, you
need to enable Plug and Play redirection. You can do this using Microsoft Intune or
Group Policy.

The default configuration is:

Windows operating system: USB redirection isn't allowed.

Select the relevant tab for your scenario.

Microsoft Intune

To enable Plug and Play redirection using Microsoft Intune:

1. Sign in to the Microsoft Intune admin center .

2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.

3. In the settings picker, browse to Administrative templates > Windows

Components > Remote Desktop Services > Remote Desktop Session Host >
Device and Resource Redirection.
 

4. Check the box for Do not allow supported Plug and Play device redirection,
then close the settings picker.

5. Expand the Administrative templates category, then set toggle the switch for
Do not allow supported Plug and Play device redirection to Disabled.

6. Select Next.

7. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.

8. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.

9. On the Review + create tab, review the settings, then select Create.

10. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.
Local Windows device configuration
To configure a local Windows device for USB redirection using opaque low-level
redirection, you need to allow RDP redirection of other supported USB peripherals for
users and administrators. You can do this using Group Policy.

） Important

Although the setting Allow RDP redirection of other supported RemoteFX USB
devices from this computer is available in Microsoft Intune, it doesn't currently
work as expected. You must use Group Policy to configure this setting.

The default configuration is:

Windows operating system: other supported USB peripherals aren't available for
RDP redirection by using any user account.

To allow RDP redirection of other supported USB peripherals using Group Policy:

1. Open the Group Policy Management console on a device you use to manage the
Active Directory domain.

2. Create or edit a policy that targets the computers providing a remote session you
want to configure.

3. Navigate to Computer Configuration > Policies > Administrative Templates >

Windows Components > Remote Desktop Services > Remote Desktop
Connection Client > RemoteFX USB Device Redirection.

4. Double-click the policy setting Allow RDP redirection of other supported

RemoteFX USB devices from this computer to open it. Select Enabled
 5. For the drop-down list for RemoteFX USB Redirection Access Rights, select
Administrators and Users, then select OK.

6. Ensure the policy is applied to the local Windows devices, then you must restart
them for USB redirection to work.

Optional: Retrieve specific USB device instance IDs to use

with opaque low-level redirection
For Azure Virtual Desktop, you can enter specific device instance IDs in the host pool
properties so that only the peripherals you approve are redirected. To retrieve the device
instance IDs available of the USB devices on a local device you want to redirect:

1. On the local device, connect any devices you want to redirect.

2. Open the Remote Desktop Connection app from the start menu, or run mstsc.exe
from the command line.

3. Select Show Options, then select the Local Resources tab.

4. In the section Local devices and resources, select More....

5. From the list of devices and resources, check the box for Other supported
RemoteFX USB devices. This option only appears if you enable the setting Allow
RDP redirection of other supported RemoteFX USB devices from this computer
 covered in the section Local Windows device configuration. You can select the +
(plus) icon to expand the list and see which devices are available to be redirected
using opaque low-level redirection.

6. Select OK to close Local devices and resources.

7. Select the General tab, then select Save As... and save the .rdp file.

8. Open a PowerShell prompt on the local device.

9. Run the following commands to match each supported USB device name with the
USB instance ID. You need to replace the <placeholder> value for the .rdp file you
saved previously.

PowerShell

$rdpFile = "<RDP file path>"

$testPath = Test-Path $rdpFile

If ($testPath) {

# Function used for recursively getting all child devices of a

parent device
Function Lookup-Device-Children {
[CmdletBinding()]
Param(
[Parameter(Mandatory, ValueFromPipeline)]
[ValidateNotNullOrEmpty()]
[object]
$ChildDeviceIds
)

foreach ($childDeviceId in $childDeviceIds) {

 $pnpDeviceProperties = Get-PnpDeviceProperty -InstanceId
$childDeviceId

[string]$childDevice = ($pnpDeviceProperties | ? KeyName -eq

DEVPKEY_NAME).Data
Write-Output " $childDevice"

If ($pnpDeviceProperties.KeyName -contains
"DEVPKEY_Device_Children") {
$pnpChildDeviceIds = ($pnpDeviceProperties | ? KeyName -
eq DEVPKEY_Device_Children).Data
Lookup-Device-Children -ChildDeviceIds
$pnpChildDeviceIds
}
}
}

# Get a list of the supported devices from the .rdp file and store
them in an array
[string]$usb = Get-Content -Path $rdpFile | Select-String USB
$devices = @($usb.Replace("usbdevicestoredirect:s:","").Replace("-
","").Split(";"))

# Get the devices

foreach ($device in $devices) {
$pnpDeviceProperties = Get-PnpDeviceProperty -InstanceId $device

[string]$parentDevice = ($pnpDeviceProperties | ? KeyName -eq

DEVPKEY_NAME).Data
Write-Output "`n-------------------`n`nParent device name:
$parentDevice`nUSB device ID: $device`n"

If ($pnpDeviceProperties.KeyName -contains
"DEVPKEY_Device_Children") {
$pnpChildDeviceIds = ($pnpDeviceProperties | ? KeyName -eq
DEVPKEY_Device_Children).Data
Write-Output "This parent device has the following child
devices:"
Lookup-Device-Children -ChildDeviceIds $pnpChildDeviceIds
}
}

} else {
Write-Output "Error: file doesn't exist. Please check the file path
and try again."
}

The output is similar to the following example:

Output

-------------------
 Parent device name: USB Composite Device
USB device ID: USB\VID_0ECB&PID_1F58\9&2E5F6FA0&0&1

This parent device has the following child devices:

AKG C44-USB Microphone
Headphones (AKG C44-USB Microphone)
Microphone (AKG C44-USB Microphone)
USB Input Device
HID-compliant consumer control device
HID-compliant consumer control device

-------------------

Parent device name: USB Composite Device

USB device ID: USB\VID_262A&PID_180A\6&22E6BE6&0&1

This parent device has the following child devices:

USB Input Device
HID-compliant consumer control device
Klipsch R-41PM
Speakers (Klipsch R-41PM)

-------------------

Parent device name: USB-to-Serial Comm Port (COM30)

USB device ID: USB\VID_012A&PID_0123\A&3A944CE5&0&2

-------------------

Parent device name: USB Composite Device

USB device ID: USB\VID_046D&PID_0893\88A44075

This parent device has the following child devices:

Logitech StreamCam
Logitech StreamCam
Microphone (Logitech StreamCam)
Logitech StreamCam WinUSB
USB Input Device
HID-compliant vendor-defined device

1. Make a note of the device instance ID of any of the parent devices you want to use
for redirection. Only the parent device instance ID is applicable for USB redirection.

Optional: Discover peripherals matching a device setup

class
For Azure Virtual Desktop, you can enter a device class GUID in the host pool properties
so that only the devices that match that device class are redirected. To retrieve a list of
the devices that match a specific device class GUID on a local device:
 1. On the local device, open a PowerShell prompt.

2. Run the following command, replacing <device class GUID> with the device class
GUID you want to search for and list the matching devices. For a list of device class
GUID values, see System-Defined Device Setup Classes Available to Vendors.

PowerShell

$deviceClassGuid = "<device class GUID>"

Get-PnpDevice | Where-Object {$_.ClassGuid -like "*$deviceClassGuid*" -
and $_.InstanceId -like "USB\*" -and $_.Present -like "True"} | FT -
AutoSize

For example, using the device class GUID 4d36e96c-e325-11ce-bfc1-08002be10318

for multimedia devices, The output is similar to the following example:

Output

Status Class FriendlyName InstanceId

------ ----- ------------ ----------
OK MEDIA USB Advanced Audio Device
USB\VID_0D8C&PID_0147&MI_00\B&35486F89&0&0000
OK MEDIA AKG C44-USB Microphone
USB\VID_0ECB&PID_1F58&MI_00\A&250837E1&0&0000
OK MEDIA Logitech StreamCam
USB\VID_046D&PID_0893&MI_02\6&4886529&0&0002
OK MEDIA Klipsch R-41PM
USB\VID_262A&PID_180A&MI_01\7&3598D0A0&0&0001

Host pool configuration

The Azure Virtual Desktop host pool setting USB device redirection determines which
supported USB devices connected to the local device are available in the remote
session. The corresponding RDP property is usbdevicestoredirect:s:<value> . For more
information, see Supported RDP properties.

To configure USB redirection using host pool RDP properties:

1. Sign in to the Azure portal .

2. In the search bar, type Azure Virtual Desktop and select the matching service entry.

3. Select Host pools, then select the host pool you want to configure.

4. Select RDP Properties, then select Device redirection.

 

5. For USB device redirection, select the drop-down list, then select one of the
following options:

Redirect all USB devices that are not already redirected by another high-
level redirection (default)
Redirect all devices that are members of the specified device setup class or
devices defined by specific instance ID

6. If you select Redirect all devices that are members of the specified device setup
class or devices defined by specific instance ID, an extra box shows. You need to
enter the device setup class or specific device instance path for the devices you
want to redirect, separated by a semicolon. For more information, see Controlling
opaque low-level USB redirection. To get the values for supported devices, see
Optional: Retrieve specific device instance IDs, and for device class GUIDs, see
Optional: Discover peripherals matching a device setup class. For Azure Virtual
Desktop, the characters \ , : , and ; must be escaped using a backslash character.

Here are some examples:

To redirect a specific peripheral where it's only redirected when based on

whole device instance path (that is, it's connected to a particular USB port),
enter the device instance path using double backslash characters, such as
 USB\\VID_045E&PID_0779\\5&21F6DCD1&0&5 . For multiple devices, separate them

with a semicolon, such as

USB\\VID_045E&PID_0779\\5&21F6DCD1&0&5;USB\\VID_0ECB&PID_1F58\\9&2E5F6FA
0&0&1 .

To redirect all peripherals that are members of a specific device setup class
(that is, all supported multimedia devices), enter the device class GUID,
including braces. For example, to redirect all multimedia devices, enter
{4d36e96c-e325-11ce-bfc1-08002be10318} . For multiple device class IDs,

separate them with a semicolon, such as {4d36e96c-e325-11ce-bfc1-

08002be10318};{6bdd1fc6-810f-11d0-bec7-08002be2092f} .

 Tip

You can create advanced configurations by combining device instance paths

and device class GUIDs, and you enter the configuration on the Advanced tab
of RDP Properties. For more examples, see usbdevicestoredirect RDP
property.

7. Select Save. You can now test the USB redirection configuration.

Test USB redirection

Once you configure your session hosts, host pool RDP property, and local devices, you
can test USB redirection. Consider the following behavior:

Drivers for redirected USB peripherals are installed in the remote session using the
same process as the local device. Ensure that Windows Update is enabled in the
remote session, or that drivers are available for the peripheral.

Opaque low-level USB redirection is designed for LAN connections (< 20 ms

latency); with higher latency, some USB peripherals might not function properly, or
the user experience might not suitable.

USB peripherals aren't available on the local device locally while it's redirected to
the remote session.

USB peripherals can only be used in one remote session at a time.

USB redirection is only available from a local Windows device.

To test USB redirection:

1. Plug in the supported USB peripherals you want to use in a remote session.

2. Connect to a remote session using Window App or the Remote Desktop app on a
platform that supports USB redirection. For more information, see Compare
Windows App features across platforms and devices and Compare Remote
Desktop app features across platforms and devices.

3. Check the peripherals are connected to the remote session. With the display in full
screen, on the status bar select the icon to select devices to use. This icon only
shows when USB redirection is correctly configured.

4. Check the box for each USB peripheral you want to redirect to the remote session,
and uncheck the box for those peripherals you don't want to redirect. Some
devices might appear in this list as Remote Desktop Generic USB Device once
directed.

5. Check the device is functioning correctly in the remote session. The correct driver
needs to be installed in the remote session. Here are some ways to check the USB
peripherals are available in the remote session, depending on the permission you
have in the remote session:

a. Open Device Manager in the remote session from the start menu, or run
devmgmt.msc from the command line. Check the redirected peripherals appear in

the expected device category and don't show any errors.

 b. Open a PowerShell prompt in the remote session and run the following
command:

PowerShell

Get-PnPDevice | Where-Object {$_.InstanceId -like "*TSUSB*" -and

$_.Present -eq "true"} | FT -AutoSize

The output is similar to the following example. Check the status column for any
entries that show Error. If there are any entries with an error, troubleshoot the
device according to the manufacturer's instructions.

Output

Status Class FriendlyName InstanceId

------ ----- ------------ ----------
OK USB USB Composite Device
USB\VID_0D8C&PID_0147&REV_0109\3&2DCEE32&0&TSUSB-SESSION4...
OK Ports USB-to-Serial Comm Port (COM6)
USB\VID_012A&PID_0123&REV_0202\3&2DCEE32&0&TSUSB-SESSION4...

6. Once the peripherals are redirected and functioning correctly, you can use them as
you would on a local device.

usbdevicestoredirect RDP property

The usbdevicestoredirect RDP property is used to specify which USB devices are
redirected to the remote session and its syntax usbdevicestoredirect:s:<value>
provides flexibility when redirecting USB peripherals using opaque low-level redirection.
Valid values for the property are shown in the following table. Values can be used on
their own, or a combination of these values can be used with each other when separated
with a semicolon, subject to a processing order. For more information, see Controlling
opaque low-level USB redirection.

ﾉ Expand table

Processing Value Description

order

N/A No value specified Don't redirect any supported USB peripherals using
opaque low-level redirection.

1 * Redirect all peripherals that aren't using high-level

redirection.

2 {<DeviceClassGUID>} Redirect all peripherals that are members of the specified

device setup class. For a list of device class GUID values,
see System-Defined Device Setup Classes Available to
Vendors.

3 <USBInstanceID> Redirect a USB peripheral specified by the given device

instance path.

4 <-USBInstanceID> Don't redirect a peripheral specified by the given device

instance path.

When constructed as a string in the correct processing order, the syntax is:

uri

usbdevicestoredirect:s:*;{<DeviceClassGUID>};<USBInstanceID>;<-
USBInstanceID>`

Here are some examples of using the usbdevicestoredirect RDP property:

To redirect all supported USB peripherals that high-level redirection doesn't

redirect, use:

uri

usbdevicestoredirect:s:*
To redirect all supported USB peripherals with a device class GUID of {6bdd1fc6-
810f-11d0-bec7-08002be2092f} (imaging), use:

uri

usbdevicestoredirect:s:{6bdd1fc6-810f-11d0-bec7-08002be2092f}

To redirect all supported USB peripherals that high-level redirection doesn't

redirect and USB peripherals with a device class GUIDs of {6bdd1fc6-810f-11d0-
bec7-08002be2092f} (imaging) and {4d36e96c-e325-11ce-bfc1-08002be10318}

(multimedia), use:

uri

usbdevicestoredirect:s:*;{6bdd1fc6-810f-11d0-bec7-08002be2092f};
{4d36e96c-e325-11ce-bfc1-08002be10318}

To redirect a supported a USB peripheral with instance IDs

USB\VID_095D&PID_9208\5&23639F31&0&2 and USB\VID_045E&PID_076F\5&14D1A39&0&7 ,

use:

uri

usbdevicestoredirect:s:USB\VID_095D&PID_9208\5&23639F31&0&2;USB\VID_045
E&PID_076F\5&14D1A39&0&7

To redirect all supported USB peripherals that high-level redirection doesn't

redirect, except for a device with an instance ID of
USB\VID_045E&PID_076F\5&14D1A39&0&7 , use:

uri

usbdevicestoredirect:s:*;-USB\VID_045E&PID_076F\5&14D1A39&0&7

Use the following syntax to achieve the following scenario:

Redirect all supported USB peripherals that high-level redirection doesn't
redirect.
Redirect all supported USB peripherals with a device setup class GUID of
{6bdd1fc6-810f-11d0-bec7-08002be2092f} (imaging).

Redirect a supported a USB peripheral with instance ID

USB\VID_095D&PID_9208\5&23639F31&0&2 .
 Don't redirect a supported USB peripheral with an instance ID of
USB\VID_045E&PID_076F\5&14D1A39&0&7 .

uri

usbdevicestoredirect:s:*;{6bdd1fc6-810f-11d0-bec7-
08002be2092f};USB\VID_095D&PID_9208\5&23639F31&0&2;-
USB\VID_045E&PID_076F\5&14D1A39&0&7

 Tip

For Azure Virtual Desktop, the characters \ , : , and ; must be escaped using a
backslash character. This includes any device instance paths, such as
USB\\VID_045E&PID_0779\\5&21F6DCD1&0&5 . It doesn't affect the redirection behavior.

Related content
Redirection over the Remote Desktop Protocol.
Supported RDP properties.
Compare Windows App features across platforms and devices.
Compare Remote Desktop app features across platforms and devices.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Configure WebAuthn redirection over
the Remote Desktop Protocol
Article • 09/17/2024

 Tip

This article is shared for services and products that use the Remote Desktop
Protocol (RDP) to provide remote access to Windows desktops and apps.

Select a product using the buttons at the top of this article to show the relevant
content.

You can configure the redirection behavior of WebAuthn requests from a remote session
to a local device over the Remote Desktop Protocol (RDP). WebAuthn redirection
enables in-session passwordless authentication using Windows Hello for Business or
security devices like FIDO keys.

For Azure Virtual Desktop, we recommend you enable WebAuthn redirection on your
session hosts using Microsoft Intune or Group Policy, then control redirection using the
host pool RDP properties.

This article provides information about the supported redirection methods and how to
configure the redirection behavior for WebAuthn requests. To learn more about how
redirection works, see Redirection over the Remote Desktop Protocol.

Prerequisites
Before you can configure WebAuthn redirection, you need:

An existing host pool with session hosts.

A Microsoft Entra ID account that is assigned the Desktop Virtualization Host Pool
Contributor built-in role-based access control (RBAC) roles on the host pool as a
minimum.

A local Windows device with Windows Hello for Business or a security device like a
FIDO USB key already configured.

To configure Microsoft Intune, you need:

Microsoft Entra ID account that is assigned the Policy and Profile manager built-
in RBAC role.
 A group containing the devices you want to configure.

To configure Group Policy, you need:

A domain account that has permission to create or edit Group Policy objects.
A security group or organizational unit (OU) containing the devices you want to
configure.

You need to connect to a remote session from a supported app and platform. To
view redirection support in Windows App and the Remote Desktop app, see
Compare Windows App features across platforms and devices and Compare
Remote Desktop app features across platforms and devices.

WebAuthn redirection
Configuration of a session host using Microsoft Intune or Group Policy, or setting an
RDP property on a host pool governs the ability to redirect WebAuthn requests from a
remote session to a local device, which is subject to a priority order.

The default configuration is:

Windows operating system: WebAuthn requests aren't blocked.

Azure Virtual Desktop host pool RDP properties: WebAuthn requests in the
remote session are redirected to the local computer.

） Important

Take care when configuring redirection settings as the most restrictive setting is the
resultant behavior. For example, if you disable WebAuthn redirection on a session
host with Microsoft Intune or Group Policy, but enable it with the host pool RDP
property, redirection is disabled.

Configure WebAuthn redirection using host pool RDP

properties
The Azure Virtual Desktop host pool setting WebAuthn redirection controls whether to
redirect WebAuthn requests between the remote session and the local device. The
corresponding RDP property is redirectwebauthn:i:<value> . For more information, see
Supported RDP properties.

To configure WebAuthn redirection using host pool RDP properties:

1. Sign in to the Azure portal .

2. In the search bar, type Azure Virtual Desktop and select the matching service entry.

3. Select Host pools, then select the host pool you want to configure.

4. Select RDP Properties, then select Device redirection.

5. For WebAuthn redirection, select the drop-down list, then select one of the
following options:

WebAuthn requests in the remote session are not redirected to the local
computer
WebAuthn requests in the remote session are redirected to the local
computer (default)
Not configured

6. Select Save.

7. To test the configuration, follow the steps in Test WebAuthn redirection.

Configure WebAuthn redirection using Microsoft Intune
or Group Policy
Select the relevant tab for your scenario.

Microsoft Intune

To allow or disable WebAuthn redirection using Microsoft Intune:

1. Sign in to the Microsoft Intune admin center .

2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.

3. In the settings picker, browse to Administrative templates > Windows

Components > Remote Desktop Services > Remote Desktop Session Host >
Device and Resource Redirection.

4. Check the box for Do not allow WebAuthn redirection, then close the settings
picker.
 5. Expand the Administrative templates category, then toggle the switch for Do
not allow WebAuthn redirection to Enabled or Disabled, depending on your
requirements:

To allow WebAuthn redirection, toggle the switch to Disabled.

To disable WebAuthn redirection, toggle the switch to Enabled.

6. Select Next.

7. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.

8. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.

9. On the Review + create tab, review the settings, then select Create.

10. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.

Test WebAuthn redirection

Once you enable WebAuthn redirection, to test it:

1. If you're using a USB security key, make sure it's plugged in first.

2. Connect to a remote session using Window App or the Remote Desktop app on a
platform that supports WebAuthn redirection. For more information, see Compare
Windows App features across platforms and devices and Compare Remote
Desktop app features across platforms and devices.

3. In the remote session, open a website in an InPrivate window that uses WebAuthn
authentication, such as Windows App for web browsers at
https://windows.cloud.microsoft/ .

4. Follow the sign-in process. When the authentication comes to use Windows Hello
for Business or the security key, you should see a Windows Security prompt to
complete the authentication, as shown in the following image when using a
Windows local device.
 The Windows Security prompt is on the local device and overlays the remote
session, indicating that WebAuthn redirection is working.

Related content
Redirection over the Remote Desktop Protocol.
Supported RDP properties.
Compare Windows App features across platforms and devices.
Compare Remote Desktop app features across platforms and devices.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Configure client device redirection
settings for Windows App and the
Remote Desktop app using Microsoft
Intune
Article • 11/09/2024

） Important

Configure redirection settings for the Remote Desktop app on Android and
Windows App on Android using Microsoft Intune are currently in PREVIEW.
Configure redirection settings for Windows App on iOS/iPadOS using Microsoft
Intune is generally available. See the Supplemental Terms of Use for Microsoft
Azure Previews for legal terms that apply to Azure features that are in beta,
preview, or otherwise not yet released into general availability.

 Tip

This article contains information for multiple products that use the Remote Desktop
Protocol (RDP) to provide remote access to Windows desktops and applications.

Redirection of resources and peripherals from a user's local device to a remote session
from Azure Virtual Desktop or Windows 365 over the Remote Desktop Protocol (RDP),
such as the clipboard, camera, and audio, is normally governed by central configuration
of a host pool and its session hosts. Client device redirection is configured for Windows
App and the Remote Desktop app using a combination of Microsoft Intune app
configuration policies, app protection policies, and Microsoft Entra Conditional Access
on a user's local device.

These features enable you to achieve the following scenarios:

Apply redirection settings at a more granular level based on criteria you specify.
For example, you might want to have different settings depending on which
security group a user is in, the operating system of device they're using, or if users
use both corporate and personal devices to access a remote session.

Provide an extra layer of protection against misconfigured redirection on the host

pool or session host.
 Apply extra security settings to Windows App and the Remote Desktop app, such
as, require a PIN, block third-party keyboards, and restrict cut, copy, and paste
operations between other apps on the client device.

If the redirection settings on a client device conflict with the host pool RDP properties
and session host for Azure Virtual Desktop, or Cloud PC for Windows 365, the more
restrictive setting between the two takes effect. For example, if the session host
disallows drive redirection and the client device allowing drive redirection, drive
redirection is disallowed. If the redirection settings on session host and client device are
both the same, the redirection behavior is consistent.

） Important

Configuring redirection settings on a client device isn't a substitute for correctly

configuring your host pools and session hosts based on your requirements. Using
Microsoft Intune to configure Windows App and the Remote Desktop app might
not be suitable for workloads requiring a higher level of security.

Workloads with higher security requirements should continue to set redirection at

the host pool or session host, where all users of the host pool would have the same
redirection configuration. A Data Loss Protection (DLP) solution is recommended
and redirection should be disabled on session hosts whenever possible to minimize
the opportunities for data loss.

At a high-level, there are three areas to configure:

Intune app configuration policies: used to manage redirection settings for

Windows App and the Remote Desktop app on a client device. There are two types
of app configuration policies; a managed apps policy is used to manage settings
for an application, whether the client device is enrolled or unenrolled, and a
managed devices policy is used in addition to manage settings on an enrolled
device. Use filters to target users based on specific criteria.

Intune app protection policies: used to specify security requirements that must be
met by the application and the client device. Use filters to target users based on
specific criteria.

Conditional Access policies: used to control access to Azure Virtual Desktop and
Windows 365 based only if the criteria set in app configuration policies and app
protection policies are met.
Supported platforms and enrollment types
The following table shows which application you can manage based on the device
platform and enrollment type:

For Windows App:

ﾉ Expand table

Device platform Managed devices Unmanaged devices

iOS and iPadOS ✅ ✅

Android ✅ ✅

For the Remote Desktop app:

ﾉ Expand table

Device platform Managed devices Unmanaged devices

Android ✅ ✅

Example scenarios
The values you specify in filters and policies depend on your requirements, so you need
to determine what's best for your organization. Here are some example scenarios of
what you need to configure to achieve them.

Scenario 1
Users in a group are allowed drive redirection when connecting from their Windows
corporate device, but drive redirection is disallowed on their iOS/iPadOS or Android
corporate device. To achieve this scenario:

1. Make sure your session hosts or Cloud PCs, and host pools settings are configured
to allow drive redirection.

2. Create device filter for managed apps for iOS and iPadOS, and a separate filter for
Android.

3. For iOS and iPadOS only, create an app configuration policy for managed devices.
 4. Create an app configuration policy for managed apps with drive redirection
disabled. You can create a single policy for both iOS/iPadOS and Android, or create
a separate policy for iOS/iPadOS and Android.

5. Create two app protection policies, one for iOS/iPadOS and one for Android.

Scenario 2
Users in a group who have an Android device running the latest version of Android are
allowed drive redirection, but the same users who's device is running an older version of
Android are disallowed drive redirection. To achieve this scenario:

1. Make sure your session hosts or Cloud PCs, and host pools settings are configured
to allow drive redirection.

2. Create two device filters:

a. A device filter for managed apps for Android, where the version of version is set
to the latest version number of Android.

b. A device filter for managed apps for Android, where the version of version is set
to a version number older than the latest version of Android.

3. Create two app configuration policies:

a. An app configuration policy for managed apps with drive redirection enabled.
Assign it one or more groups with the filter for the latest version number of
Android.

b. An app configuration policy for managed apps with drive redirection disabled.
Assign it one or more groups with the filter for the older version number of
Android.

4. Create an app protection policy, one combined for iOS/iPadOS and Android.

Scenario 3
Users in a group using an unmanaged iOS/iPadOS device to connect to a remote
session are allowed clipboard redirection, but the same users using an unmanaged
Android device are disallowed clipboard redirection. To achieve this scenario:

1. Make sure your session hosts or Cloud PCs, and host pools settings are configured
to allow clipboard redirection.
 2. Create two device filters:

a. A device filter for managed apps for iOS and iPadOS, where the device
management type is unmanaged.

b. A device filter for managed apps for Android, where the device management
type is unmanaged.

3. Create two app configuration policies:

a. An app configuration policy for managed apps with clipboard redirection

enabled. Assign it one or more groups with the filter for unmanaged iOS or
iPadOS devices.

b. An app configuration policy for managed apps with clipboard redirection

disabled. Assign it one or more groups with the filter for unmanaged Android
devices.

4. Create an app protection policy, one combined for iOS/iPadOS and Android.

Recommended policy settings

Here are some recommended policy settings you should use with Intune and
Conditional Access. The settings you use should be based on your requirements.

Intune:
Disable all redirection on personal devices.
Require PIN access to app.
Block third-party keyboards.
Specify a minimum device operating system version.
Specify a minimum Windows App and/or Remote Desktop app version number.
Block jailbroken/rooted devices.
Require a mobile threat defense (MTD) solution on devices, with no threats
detected.

Conditional Access:
Block access unless criteria set in Intune mobile application management
policies are met.
Grant access, requiring one or more of the following options:
Require multifactor authentication.
Require an Intune app protection policy.
Prerequisites
Before you can configure redirection settings on a client device using Microsoft Intune
and Conditional Access, you need:

An existing host pool with session hosts, or Cloud PCs.

At least one security group containing users to apply the policies to.

To use Windows App with enrolled devices on iOS and iPadOS, you need to add
each app to Intune from the App Store. For more information, see Add iOS store
apps to Microsoft Intune.

A client device running one of the following versions of Windows App or the
Remote Desktop app:

For Windows App:

iOS/iPadOS: 11.0.4 or later.
Android: 1.0.145 or later.

Remote Desktop app:

Android: 10.0.19.1279 or later.

The latest version of:

iOS/iPadOS: Microsoft Authenticator app
Android: Company Portal app, installed in the same profile as Windows App for
personal devices. Both app either in personal profile OR both apps in work
profile.

There are more Intune prerequisites for configuring app configuration policies, app
protection policies, and Conditional Access policies. For more information, see:
App configuration policies for Microsoft Intune.
How to create and assign app protection policies.
Use app-based Conditional Access policies with Intune.

） Important

Intune mobile application management (MAM) functionality isn't currently

supported on Android 15 by Remote Desktop or Windows App (preview). MAM
runs on older versions of Android. Support for MAM on Android 15 for Windows
App (preview) will be supported in an upcoming release.
Create a managed app filter
By creating a managed app filter, you can apply redirection settings only when the
criteria set in the filter are matched, allowing you to narrow the assignment scope of a
policy. If you don't configure a filter, the redirection settings apply to all users. What you
specify in a filter depends on your requirements.

To learn about filters and how to create them, see Use filters when assigning your apps,
policies, and profiles in Microsoft Intune and Managed app filter properties.

Create an app configuration policy for

managed devices
For iOS and iPadOS devices that are enrolled only, you need to create an app
configuration policy for managed devices for Windows App. This step isn't needed for
Android.

To create and apply an app configuration policy for managed devices, follow the steps in
Add app configuration policies for managed iOS/iPadOS devices and use the following
settings:

On the Basics tab, for targeted app, select Windows App from the list. You need to
have added the app to Intune from the App Store for it to show in this list.

On the Settings tab, for the Configuration settings format drop-down list, select
Use configuration designer, then enter the following settings exactly as shown:

ﾉ Expand table

Configuration key Value type Configuration value

IntuneMAMUPN String {{userprincipalname}}

IntuneMAMOID String {{userid}}

IntuneMAMDeviceID String {{deviceID}}

On the Assignments tab, assign the policy to the security group containing the
users to apply the policy to. You must apply the policy to a group of users to have
the policy take effect. For each group, you can optionally select a filter to be more
specific in the app configuration policy targeting.
Create an app configuration policy for
managed apps
You need to create a separate app configuration policy for managed apps for Windows
App (iOS/iPadOS) and the Windows App (preview) or Remote Desktop app (Android),
which enables you to provide configuration settings. Don't configure both Android and
iOS in the same configuration policy or you won't be able to configure policy targeting
based on managed and unmanaged devices.

To create and apply an app configuration policy for managed apps, follow the steps in
App configuration policies for Intune App SDK managed apps and use the following
settings:

On the Basics tab, select Select public apps, then search for and select Remote
Desktop for Android and Windows App for iOS/iPadOS. Select Select custom
apps, then type in com.microsoft.rdc.androidx.beta in the Bundle or Package ID
field under More Apps for Windows App (preview) for Android.

On the Settings tab, expand General configuration settings, then enter the
following name and value pairs for each redirection setting you want to configure
exactly as shown. These values correspond to the RDP properties listed on
Supported RDP properties, but the syntax is different:

ﾉ Expand table

Name Description Value

audiocapturemode Indicates whether audio 0 : Audio capture from the local device is
input redirection is disabled.
enabled.
1 : Audio capture from the local device
and redirection to an audio application in
the remote session is enabled.

camerastoredirect Determines whether 0 : Camera redirection is disabled.

camera redirection is
enabled. 1 : Camera redirection is enabled.

drivestoredirect Determines whether disk 0 : Disk drive redirection is disabled.

drive redirection is
enabled. 1 : Disk drive redirection is enabled.

redirectclipboard Determines whether 0 : Clipboard redirection on local device is

clipboard redirection is disabled in remote session.
enabled.
 Name Description Value

1 : Clipboard redirection on local device is

enabled in remote session.

Here's an example of how the settings should look:

On the Assignments tab, assign the policy to the security group containing the
users to apply the policy to. You must apply the policy to a group of users to have
the policy take effect. For each group, you can optionally select a filter to be more
specific in the app configuration policy targeting.

Create an app protection policy

You need to create a separate app protection policy for Windows App (iOS/iPadOS) and
the Remote Desktop app (Android), which enable you to control how data is accessed
and shared by apps on mobile devices. Don't configure both Android and iOS/iPadOS in
the same protection policy or you won't be able to configure policy targeting based on
managed and unmanaged devices.

To create and apply an app protection policy, follow the steps in How to create and
assign app protection policies and use the following settings.

On the Apps tab, select Select public apps, then search for and select Remote
Desktop for Android and Windows App for iOS/iPadOS. Select Select custom
apps, then type in com.microsoft.rdc.androidx.beta in the Bundle or Package ID
field under More Apps for Windows App (preview) for Android.

On the Data protection tab, only the following settings are relevant to Windows
App and the Remote Desktop app. The other settings don't apply as Windows App
and the Remote Desktop app interact with the session host and not with data in
the app. On mobile devices, unapproved keyboards are a source of keystroke
logging and theft.

For iOS and iPadOS, you can configure the following settings:
Restrict cut, copy, and paste between other apps
Third-party keyboards

For Android, you can configure the following settings:

Restrict cut, copy, and paste between other apps
Screen capture and Google Assistant
Approved keyboards

 Tip

If you disable clipboard redirection in an app configuration policy, you should

set Restrict cut, copy, and paste between other apps to Blocked.

On the Conditional launch tab, we recommend you add the following conditions:

ﾉ Expand table

Condition Condition Value Action

type

Min app version App Based on your requirements. Block

condition access

Min OS version Device Based on your requirements. Block

condition access

Primary MTD Device Based on your requirements. Block

service condition access
Your MTD connector must be set up. For
Microsoft Defender for Endpoint, configure
Microsoft Defender for Endpoint in Intune.

Max allowed Device Secured Block

device threat condition access
level

For version details, see What's new in Windows App, and What's new in the
Remote Desktop client for Android and Chrome OS.

For more information about the available settings, see Conditional launch in iOS
app protection policy settings and Conditional launch in Android app protection
 policy settings.

On the Assignments tab, assign the policy to the security group containing the
users to apply the policy to. You must apply the policy to a group of users to have
the policy take effect. For each group, you can optionally select a filter to be more
specific in the app configuration policy targeting.

Create a Conditional Access policy

Creating a Conditional Access policy enables you to restrict access to a remote session
only when an app protection policy is applied with Windows App and the Remote
Desktop app. If you create a second Conditional Access policy, you can also block access
using a web browser.

To create and apply a Conditional Access policy, follow the steps in Set up app-based
Conditional Access policies with Intune. The following settings provide an example, but
you should adjust them based on your requirements:

1. For the first policy to grant access to a remote session only when an app
protection policy is applied with Windows App and the Remote Desktop app:

For Assignments, include the security group containing the users to apply the
policy to. You must apply the policy to a group of users to have the policy
take effect.

For Target resources, select to apply the policy to Cloud apps, then for
Include, select Select apps. Search for and select Azure Virtual Desktop and
Windows 365. You only have Azure Virtual Desktop in the list if you
registered the Microsoft.DesktopVirtualization resource provider on a
subscription in your Microsoft Entra tenant.

For Conditions:
Select Device platforms, then include iOS and Android.
Select Client apps, then include Mobile apps and desktop clients.

For Access controls, select Grant access, then check the box for Require app
protection policy and select the radio button for Require all the selected
controls.

For Enable policy, set it to On.

2. For the second policy to block access to a remote session using a web browser:
 For Assignments, include the security group containing the users to apply the
policy to. You must apply the policy to a group of users to have the policy
take effect.

For Target resources, select to apply the policy to Cloud apps, then for
Include, select Select apps. Search for and select Azure Virtual Desktop and
Windows 365. You only have Azure Virtual Desktop in the list if you
registered the Microsoft.DesktopVirtualization resource provider on a
subscription in your Microsoft Entra tenant. The cloud app for Windows 365
also covers Microsoft Dev Box.

For Conditions:
Select Device platforms, then include iOS and Android.
Select Client apps, then include Browser.

For Access controls, select Block access, then select the radio button for
Require all the selected controls.

For Enable policy, set it to On.

Verify the configuration

Now that you configure Intune to manage device redirection on personal devices, you
can verify your configuration by connecting to a remote session. What you should test
depends on whether you configured policies to apply to enrolled or unenrolled devices,
which platforms, and the redirection and data protection settings you set. Verify that
you can only perform the actions you can perform match what you expect.

Known issues
Windows App exits without warning if Company Portal and Windows App aren't
installed in the same profile. Install both apps either in a personal profile or both
apps in a work profile.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Supported RDP properties
Article • 09/27/2024

 Tip

This article is shared for services and products that use the Remote Desktop
Protocol (RDP) to provide remote access to Windows desktops and apps.

The Remote Desktop Protocol (RDP) has a number of properties you can set to
customize the behavior of a remote session, such as for device redirection, display
settings, session behavior, and more.

The following sections contain each RDP property available and lists its syntax,
description, supported values, the default value, and connections to which services and
products you can use them with.

How you use these RDP properties depends on the service or product you're using:

ﾉ Expand table

Product Configuration point

Azure Virtual Desktop Host pool RDP properties. To learn more, see Customize RDP properties
for a host pool.

Remote Desktop Session collection RDP properties

Services

Remote PC The .rdp file you use to connect to a remote PC.

connections

７ Note

For each RDP property, replace <value> with an allowed value for that property.

Connections
Here are the RDP properties that you can use to configure connections.

alternate full address

 Syntax: alternate full address:s:<value>
Description: Specifies an alternate name or IP address of the remote computer.
Supported values:
A valid hostname, IPv4 address, or IPv6 address.
Default value: None.
Applies to:
Remote Desktop Services
Remote PC connections

alternate shell

Syntax: alternate shell:s:<value>

Description: Specifies a program to be started automatically in a remote session as
the shell instead of explorer.
Supported values:
A valid path to an executable file, such as C:\Program Files\MyApp\myapp.exe .
Default value: None.
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

authentication level

Syntax: authentication level:i:<value>

Description: Defines the server authentication level settings.
Supported values:
0 : If server authentication fails, connect to the computer without warning.
1 : If server authentication fails, don't establish a connection.

2 : If server authentication fails, show a warning, and choose to connect or

refuse the connection.

3 : No authentication requirement specified.

Default value: 3
Applies to:
Remote Desktop Services
Remote PC connections

disableconnectionsharing
 Syntax: disableconnectionsharing:i:<value>
Description: Determines whether the client reconnects to any existing
disconnected session or initiate a new connection when a new connection is
launched.
Supported values:
0 : Reconnect to any existing session.
1 : Initiate new connection.

Default value: 0
Applies to:
Remote Desktop Services

domain

Syntax: domain:s:<value>
Description: Specifies the name of the Active Directory domain in which the user
account that will be used to sign in to the remote computer is located.
Supported values:
A valid domain name, such as CONTOSO .
Default value: None.
Applies to:
Remote Desktop Services
Remote PC connections

enablecredsspsupport

Syntax: enablecredsspsupport:i:<value>
Description: Determines whether the client will use the Credential Security Support
Provider (CredSSP) for authentication if it's available.
Supported values:
0 : RDP won't use CredSSP, even if the operating system supports CredSSP.
1 : RDP will use CredSSP if the operating system supports CredSSP.

Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

enablerdsaadauth
 Syntax: enablerdsaadauth:i:<value>
Description: Determines whether the client will use Microsoft Entra ID to
authenticate to the remote PC. When used with Azure Virtual Desktop, this
provides a single sign-on experience. This property replaces the property
targetisaadjoined.
Supported values:
0 : Connections won't use Microsoft Entra authentication, even if the remote PC

supports it.
1 : Connections will use Microsoft Entra authentication if the remote PC

supports it.
Default value: 0
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

full address

Syntax: full address:s:<value>

Description: Specifies the hostname or IP address of the remote computer that
you want to connect to.. This is the only mandatory property in a .rdp file.
Supported values:
A valid hostname, IPv4 address, or IPv6 address.
Default value: None.
Applies to:
Remote Desktop Services
Remote PC connections

gatewaycredentialssource

Syntax: gatewaycredentialssource:i:<value>
Description: Specifies the authentication method used for Remote Desktop
gateway connections.
Supported values:
0 : Ask for password (NTLM).
1 : Use smart card.

2 : Use the credentials for the currently signed in user.

3 : Prompt the user for their credentials and use basic authentication.
4 : Allow user to select later.
 5 : Use cookie-based authentication.

Default value: 0
Applies to:
Remote Desktop Services

gatewayhostname

Syntax: gatewayhostname:s:<value>
Description: Specifies the host name of a Remote Desktop gateway.
Supported values:
A valid hostname, IPv4 address, or IPv6 address.
Default value: None.
Applies to:
Remote Desktop Services

gatewayprofileusagemethod

Syntax: gatewayprofileusagemethod:i:<value>
Description: Specifies whether to use the default Remote Desktop gateway
settings.
Supported values:
0 : Use the default profile mode, as specified by the administrator.

1 : Use explicit settings, as specified by the user.

Default value: 0
Applies to:
Remote Desktop Services

gatewayusagemethod

Syntax: gatewayusagemethod:i:<value>
Description: Specifies whether to use a Remote Desktop gateway for the
connection.
Supported values:
0 : Don't use a Remote Desktop gateway.
1 : Always use a Remote Desktop gateway.

2 : Use a Remote Desktop gateway if a direct connection can't be made to the

RD Session Host.
3 : Use the default Remote Desktop gateway settings.
 4 : Don't use a Remote Desktop gateway, bypass gateway for local addresses.

Setting this property value to 0 or 4 are effectively equivalent, but 4 enables

the option to bypass local addresses.
Default value: 0
Applies to:
Remote Desktop Services

kdcproxyname

Syntax: kdcproxyname:s:<value>
Description: Specifies the fully qualified domain name of a KDC proxy.
Supported values:
A valid path to a KDC proxy server, such as kdc.contoso.com .
Default value: None.
Applies to:
Azure Virtual Desktop. For more information, see Configure a Kerberos Key
Distribution Center proxy.

promptcredentialonce

Syntax: promptcredentialonce:i:<value>
Description: Determines whether a user's credentials are saved and used for both
the Remote Desktop gateway and the remote computer.
Supported values:
0 : Remote session doesn't use the same credentials.
1 : Remote session does use the same credentials.

Default value: 1
Applies to:
Remote Desktop Services

targetisaadjoined

Syntax: targetisaadjoined:i:<value>
Description: Allows connections to Microsoft Entra joined session hosts using a
username and password. This property is only applicable to non-Windows clients
and local Windows devices that aren't joined to Microsoft Entra. It is being
replaced by the property enablerdsaadauth.
Supported values:
 0 : Connections to Microsoft Entra joined session hosts will succeed for

Windows devices that meet the requirements, but other connections will fail.
1 : Connections to Microsoft Entra joined hosts will succeed but are restricted to

entering user name and password credentials when connecting to session hosts.
Default value: 0
Applies to:
Azure Virtual Desktop. For more information, see Microsoft Entra joined session
hosts in Azure Virtual Desktop.

username

Syntax: username:s:<value>
Description: Specifies the name of the user account that will be used to sign in to
the remote computer.
Supported values:
Any valid username.
Default value: None.
Applies to:
Remote Desktop Services

Session behavior
Here are the RDP properties that you can use to configure session behavior.

autoreconnection enabled

Syntax: autoreconnection enabled:i:<value>

Description: Determines whether the local device will automatically try to
reconnect to the remote computer if the connection is dropped, such as when
there's a network connectivity interruption.
Supported values:
0 : The local device doesn't automatically try to reconnect.
1 : The local device automatically tries to reconnect.

Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections
bandwidthautodetect

Syntax: bandwidthautodetect:i:<value>
Description: Determines whether or not to use automatic network bandwidth
detection.
Supported values:
0 : Don't use automatic network bandwidth detection.

1 : Use automatic network bandwidth detection.

Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

compression

Syntax: compression:i:<value>
Description: Determines whether bulk compression is enabled when transmitting
data to the local device.
Supported values:
0 : Disable bulk compression.

1 : Enable RDP bulk compression.

Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

networkautodetect

Syntax: networkautodetect:i:<value>
Description: Determines whether automatic network type detection is enabled.
Supported values:
0 : Disable automatic network type detection.

1 : Enable automatic network type detection.

Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
 Remote PC connections

videoplaybackmode

Syntax: videoplaybackmode:i:<value>
Description: Determines whether the connection will use RDP-efficient multimedia
streaming for video playback.
Supported values:
0 : Don't use RDP efficient multimedia streaming for video playback.
1 : Use RDP-efficient multimedia streaming for video playback when possible.

Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

Device redirection
Here are the RDP properties that you can use to configure device redirection. To learn
more, see Redirection over the Remote Desktop Protocol.

audiocapturemode

Syntax: audiocapturemode:i:<value>
Description: Indicates whether audio input redirection is enabled.
Supported values:
0 : Disable audio capture from a local device.
1 : Enable audio capture from a local device and redirect it to a remote session.

Default value: 0
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

To learn how to use this property, see Configure audio and video redirection over the
Remote Desktop Protocol.

audiomode

Syntax: audiomode:i:<value>
 Description: Determines whether the local or remote machine plays audio.
Supported values:
0 : Play sounds on the local device.
1 : Play sounds in a remote session.

2 : Don't play sounds.

Default value: 0
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

To learn how to use this property, see Configure audio and video redirection over the
Remote Desktop Protocol.

camerastoredirect

Syntax: camerastoredirect:s:<value>
Description: Configures which cameras to redirect. This setting uses a semicolon-
delimited list of KSCATEGORY_VIDEO_CAMERA interfaces of cameras enabled for
redirection.
Supported values:
* : Redirect all cameras.

\\?\usb#vid_0bda&pid_58b0&mi : Specifies a list of cameras by device instance

path, such as this example.

- : Exclude a specific camera by prepending the symbolic link string.

Default value: None.

Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

To learn how to use this property, see Configure camera, webcam, and video capture
redirection over the Remote Desktop Protocol.

devicestoredirect

Syntax: devicestoredirect:s:<value>
Description: Determines which peripherals that use the Media Transfer Protocol
(MTP) or Picture Transfer Protocol (PTP), such as a digital camera, are redirected
from a local Windows device to a remote session.
 Supported values:
* : Redirect all supported devices, including ones that are connected later.

\\?\usb#vid_0bda&pid_58b0&mi : Specifies a list of MTP or PTP peripherals by

device instance path, such as this example.

DynamicDevices : Redirect all supported devices that are connected later.

Default value: *
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

To learn how to use this property, see Configure Media Transfer Protocol and Picture
Transfer Protocol redirection on Windows over the Remote Desktop Protocol.

drivestoredirect

Syntax: drivestoredirect:s:<value>
Description: Determines which fixed, removable, and network drives on the local
device will be redirected and available in a remote session.
Supported values:
Empty: Don't redirect any drives.
* : Redirect all drives, including drives that are connected later.

DynamicDrives : Redirect any drives that are connected later.

drivestoredirect:s:C:\;E:\; : Redirect the specified drive letters for one or

more drives, such as this example.

Default value: *
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

To learn how to use this property, see Configure fixed, removable, and network drive
redirection over the Remote Desktop Protocol.

encode redirected video capture

Syntax: encode redirected video capture:i:<value>

Description: Enables or disables encoding of redirected video.
Supported values:
0 : Disable encoding of redirected video.
 1 : Enable encoding of redirected video.

Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

To learn how to use this property, see Configure camera, webcam, and video capture
redirection over the Remote Desktop Protocol.

keyboardhook

Syntax: keyboardhook:i:<value>
Description: Determines whether Windows key combinations ( Windows , Alt + Tab )
are applied to a remote session.
Supported values:
0 : Windows key combinations are applied on the local device.

1 : (Desktop sessions only) Windows key combinations are applied on the

remote computer when in focus.

2 : (Desktop sessions only) Windows key combinations are applied on the

remote computer in full screen mode only.

3 : (RemoteApp sessions only) Windows key combinations are applied on the

RemoteApp when in focus. We recommend you use this value only when
publishing the Remote Desktop Connection app ( mstsc.exe ) from the host pool
on Azure Virtual Desktop. This value is only supported when using the Windows
client.
Default value: 2
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

redirectclipboard

Syntax: redirectclipboard:i:<value>
Description: Determines whether to redirect the clipboard.
Supported values:
0 : Clipboard on local device isn't available in remote session.

1 : Clipboard on local device is available in remote session.

Default value: 1
 Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

To learn how to use this property, see Configure clipboard redirection over the Remote
Desktop Protocol.

redirectcomports

Syntax: redirectcomports:i:<value>
Description: Determines whether serial or COM ports on the local device are
redirected to a remote session.
Supported values:
0 : Serial or COM ports on the local device aren't available in a remote session.
1 : Serial or COM ports on the local device are available in a remote session.

Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

To learn how to use this property, see Configure serial or COM port redirection over the
Remote Desktop Protocol.

redirected video capture encoding quality

Syntax: redirected video capture encoding quality:i:<value>

Description: Controls the quality of encoded video.
Supported values:
0 : High compression video. Quality may suffer when there's a lot of motion.

1 : Medium compression.
2 : Low compression video with high picture quality.

Default value: 0
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

To learn how to use this property, see Configure camera, webcam, and video capture
redirection over the Remote Desktop Protocol.
redirectlocation

Syntax: redirectlocation:i:<value>
Description: Determines whether the location of the local device is redirected to a
remote session.
Supported values:
0 : A remote session uses the location of the remote computer or virtual

machine.
1 : A remote session uses the location of the local device.

Default value: 0
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

To learn how to use this property, see Configure location redirection over the Remote
Desktop Protocol.

redirectprinters

Syntax: redirectprinters:i:<value>
Description: Determines whether printers available on the local device are
redirected to a remote session.
Supported values:
0 : The printers on the local device aren't redirected to a remote session.
1 : The printers on the local device are redirected to a remote session.

Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

To learn how to use this property, see Configure printer redirection over the Remote
Desktop Protocol.

redirectsmartcards

Syntax: redirectsmartcards:i:<value>
Description: Determines whether smart card devices on the local device will be
redirected and available in a remote session.
 Supported values:
0 : Smart cards on the local device aren't redirected to a remote session.

1 : Smart cards on the local device are redirected a remote session.

Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

To learn how to use this property, see Configure smart card redirection over the Remote
Desktop Protocol.

redirectwebauthn

Syntax: redirectwebauthn:i:<value>
Description: Determines whether WebAuthn requests from a remote session are
redirected to the local device allowing the use of local authenticators (such as
Windows Hello for Business and security keys).
Supported values:
0 : WebAuthn requests from a remote session aren't sent to the local device for

authentication and must be completed in the remote session.

1 : WebAuthn requests from a remote session are sent to the local device for

authentication.
Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

To learn how to use this property, see Configure WebAuthn redirection over the Remote
Desktop Protocol.

usbdevicestoredirect

Syntax: usbdevicestoredirect:s:<value>
Description: Determines which supported USB devices on the client computer are
redirected using opaque low-level redirection to a remote session.
Supported values:
* : Redirect all USB devices that aren't already redirected by high-level

redirection.
 {*Device Setup Class GUID*} : Redirect all devices that are members of the

specified device setup class.

*USBInstanceID* : Redirect a specific USB device identified by the instance ID.

Default value: *
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

To learn how to use this property, see Configure USB redirection on Windows over the
Remote Desktop Protocol.

Display settings
Here are the RDP properties that you can use to configure display settings.

desktop size id

Syntax: desktop size id:i:<value>

Description: Specifies the dimensions of a remote session desktop from a set of
predefined options. This setting is overridden if desktopheight and desktopwidth
are specified.
Supported values:
0 : 640×480

1 : 800×600
2 : 1024×768

3 : 1280×1024
4 : 1600×1200

Default value: None. Match the local device.

Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

desktopheight

Syntax: desktopheight:i:<value>
Description: Specifies the resolution height (in pixels) of a remote session.
Supported values:
Numerical value between 200 and 8192 .
 Default value: None. Match the local device.
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

desktopscalefactor

Syntax: desktopscalefactor:i:*value*
Description: Specifies the scale factor of the remote session to make the content
appear larger.
Supported values:
Numerical value from the following list: 100 , 125 , 150 , 175 , 200 , 250 , 300 , 400 ,
500

Default value: None. Match the local device.

Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

７ Note

The desktopscalefactor property is being deprecated and will soon be unavailable.

desktopwidth

Syntax: desktopwidth:i:<value>
Description: Specifies the resolution width (in pixels) of a remote session.
Supported values:
Numerical value between 200 and 8192 .
Default value: None. Match the local device.
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

dynamic resolution

Syntax: dynamic resolution:i:<value>

 Description: Determines whether the resolution of a remote session is
automatically updated when the local window is resized.
Supported values:
0 : Session resolution remains static during the session.

1 : Session resolution updates as the local window resizes.

Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

maximizetocurrentdisplays

Syntax: maximizetocurrentdisplays:i:<value>
Description: Determines which display a remote session uses for full screen on
when maximizing. Requires use multimon set to 1 . Only available on Windows
App for Windows and the Remote Desktop app for Windows.
Supported values:
0 : Session is full screen on the displays initially selected when maximizing.
1 : Session dynamically is full screen on the displays the session window spans

when maximizing.
Default value: 0
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

screen mode id

Syntax: screen mode id:i:<value>

Description: Determines whether a remote session window appears full screen
when you launch the connection.
Supported values:
1 : A remote session appears in a window.

2 : A remote session appears full screen.

Default value: 2
Applies to:
Azure Virtual Desktop
Remote Desktop Services
 Remote PC connections

selectedmonitors

Syntax: selectedmonitors:s:<value>
Description: Specifies which local displays to use in a remote session. The selected
displays must be contiguous. Requires use multimon set to 1 . Only available on
Windows App for Windows, the Remote Desktop app for Windows, and the inbox
Remote Desktop Connection app on Windows.
Supported values:
A comma separated list of machine-specific display IDs. You can retrieve
available IDs by running mstsc.exe /l from the command line. The first ID listed
is set as the primary display in a remote session.
Default value: None. All displays are used.
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

singlemoninwindowedmode

Syntax: singlemoninwindowedmode:i:<value>
Description: Determines whether a multi display remote session automatically
switches to single display when exiting full screen. Requires use multimon set to 1.
Only available on Windows App for Windows and the Remote Desktop app for
Windows.
Supported values:
0 : A remote session retains all displays when exiting full screen.
1 : A remote session switches to a single display when exiting full screen.

Default value: 0
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

smart sizing

Syntax: smart sizing:i:<value>

Description: Determines whether the local device scales the content of the remote
session to fit the window size.
 Supported values:
0 : The local window content doesn't scale when resized.

1 : The local window content does scale when resized.

Default value: 0
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

use multimon

Syntax: use multimon:i:<value>

Description: Determines whether the remote session will use one or multiple
displays from the local device.
Supported values:
0 : A remote session uses a single display.

1 : A remote session uses multiple displays.

Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

RemoteApp
Here are the RDP properties that you can use to configure RemoteApp behavior for
Remote Desktop Services.

remoteapplicationcmdline

Syntax: remoteapplicationcmdline:s:<value>
Description: Optional command line parameters for the RemoteApp.
Supported values:
Valid command-line parameters for the application.
Default value: None.
Applies to:
Remote Desktop Services

remoteapplicationexpandcmdline
 Syntax: remoteapplicationexpandcmdline:i:<value>
Description: Determines whether environment variables contained in the
RemoteApp command line parameters should be expanded locally or remotely.
Supported values:
0 : Environment variables should be expanded to the values of the local device.

1 : Environment variables should be expanded to the values of the remote

session.
Default value: 1
Applies to:
Remote Desktop Services

remoteapplicationexpandworkingdir

Syntax: remoteapplicationexpandworkingdir:i:<value>
Description: Determines whether environment variables contained in the
RemoteApp working directory parameter should be expanded locally or remotely.
Supported values:
0 : Environment variables should be expanded to the values of the local device.

1 : Environment variables should be expanded to the values of the remote

session.
The RemoteApp working directory is specified through the shell working
directory parameter.
Default value: 1
Applies to:
Remote Desktop Services

remoteapplicationfile

Syntax: remoteapplicationfile:s:<value>
Description: Specifies a file to be opened in the remote session by the RemoteApp.
For local files to be opened, you must also enable drive redirection for the source
drive.
Supported values:
A valid file path in the remote session.
Default value: None.
Applies to:
Remote Desktop Services

remoteapplicationicon
 Syntax: remoteapplicationicon:s:<value>
Description: Specifies the icon file to be displayed in Windows App or the Remote
Desktop app while launching a RemoteApp. If no file name is specified, the client
will use the standard Remote Desktop icon. Only .ico files are supported.
Supported values:
A valid file path to an .ico file.
Default value: None.
Applies to:
Remote Desktop Services

remoteapplicationmode

Syntax: remoteapplicationmode:i:<value>
Description: Determines whether a connection is started as a RemoteApp session.
Supported values:
0 : Don't launch a RemoteApp session.

1 : Launch a RemoteApp session.

Default value: 1
Applies to:
Remote Desktop Services

remoteapplicationname

Syntax: remoteapplicationname:s:<value>
Description: Specifies the name of the RemoteApp in Windows App or the Remote
Desktop app while starting the RemoteApp.
Supported values:
A valid application display name, for example Microsoft Excel .
Default value: None.
Applies to:
Remote Desktop Services

remoteapplicationprogram

Syntax: remoteapplicationprogram:s:<value>
Description: Specifies the alias or executable name of the RemoteApp.
Supported values:
A valid application name or alias, for example EXCEL .
Default value: None.
 Applies to:
Remote Desktop Services

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Printing on Azure Virtual Desktop using
Universal Print
Article • 04/27/2023

７ Note

The improvements described in this article apply to Windows 11 multi-session

22H2 and later. Windows 10 users and users on older Windows 11 versions will still
experience the issues described in the Universal Print Known Issues article here.

Experience improvements
The improvements made in Windows 11 22H2 address user experience issues on Azure
Virtual Desktop. There are 3 major improvements to the print scenario

Printers are installed as part of the user profile

Instead of printers being installed as a machine-wide resource (i.e., all installed printers
are visible to all users who sign in to the VM), each user sees only the printers they
install.

Printers roam with user profiles

When user profiles are configured to roam (e.g. using FSLogix), printers that the user
installs on one VM will be automatically installed on other VMs the user signs into. This
behavior also works when users remove printers from their profile.

Location-based printer search the local device location

Instead of finding printers close to the location of the VM where the user is signed in,
location-based printer search will find printers based on the device the user is
connecting from. This requires the location override functionality to be enabled.

Relevant information and caveats

Location override configuration

To enable location-based printer search using the AVD client location, location services
must be configured on all VMs as follows:

1. Open the Settings app in Windows and go to Privacy & security.

2. In the App permissions section, click Location.
3. Enable Location services.
4. Enable Allow location override.

Printer redirection
Printer redirection affects whether the printers installed on the PC the user is connecting
from will be available in the remote session. While there is no recommended setting,
this configuration affects the printers that will be available to the user in the remote
session. Therefore, the admin should decide what the correct configuration is for their
users.

Configure printer redirection

1. Go to https://portal.azure.com
2. Under Azure services, click Azure Virtual Desktop.
3. Click on Host pools and click on the host pool you would like to configure.
4. On the host pool configuration page, click on RDP Properties, then click on Device
redirection.
5. Choose your preferred printer redirection setting.

７ Note

Printer redirection affects the default printer behavior. When you choose to have
printers on the local computer be available in the remote session, the default
printer on the local computer will become the default printer in the remote session.

Printing preferences and printer properties

Printing preferences are the options the user chooses every time they print. Depending
on what the printer supports, this could be things like paper size, stapling, color vs.
greyscale, etc. When a user sets their printing preferences defaults, these user
preferences roam with the user across different sessions hosts.

Printer properties are the configuration of a printer on a particular PC. These are things
like the printer driver, the ports where the printer is installed on this PC, and other
printer settings. This configuration is machine-specific, and does not roam with the user
across session hosts.

Known issues

Removing a printer while multiple users are signed in

When a user removes a printer, that printer gets removed from other users who
installed it, if they are signed in to the same VM as the user who removed that printer.

See also
Universal Print discussions on the Microsoft Tech Community at
https://aka.ms/UPDiscussion .
Connect to Azure Virtual Desktop with
thin clients
Article • 05/23/2024

Thin clients are available from several partners you can use to connect to Azure Virtual
Desktop to access your desktops and applications. This article provides links to those
partners where you can read more about connecting to Azure Virtual Desktop. You can
also use a web browser on a thin client to access Azure Virtual Desktop using the web
client.

You can find a list of all the Remote Desktop clients at Remote Desktop clients overview.

Partner thin client devices

The following partners have thin client devices that have been approved to use with
Azure Virtual Desktop. Visit their documentation to learn how to connect to Azure
Virtual Desktop with thin clients.

ﾉ Expand table

Partner Partner documentation Partner support

10ZiG 10ZiG client documentation 10ZiG support

Dell Dell client documentation Dell support

HP HP client documentation HP support

IGEL IGEL client documentation IGEL support

NComputing NComputing client documentation NComputing support

Stratodesk Stratodesk client documentation Stratodesk support

Unicon Unicon documentation Unicon support

） Important

If you encounter an issue when trying to connect to Azure Virtual Desktop, you
must verify whether it's unique to your approved partner thin client. You can verify
whether this is a unique issue by trying to reproduce it on any first-party Remote
 Desktop client. If you can't reproduce the issue on a first-party client, then you
must contact your client's provider for support.

Next steps
Learn more about Remote Desktop clients at Remote Desktop clients overview.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Estimate Azure Virtual Desktop
monitoring costs
Article • 09/12/2023

Azure Virtual Desktop uses the Azure Monitor Logs service to collect, index, and store
data generated by your environment. Because of this, the Azure Monitor pricing model
is based on the amount of data that's brought into and processed (or "ingested") by
your Log Analytics workspace in gigabytes per day. The cost of a Log Analytics
workspace isn't only based on the volume of data collected, but also which Azure
payment plan you've selected and how long you choose to store the data your
environment generates.

This article will explain the following things to help you understand how pricing in Azure
Monitor works:

How to estimate data ingestion and storage costs upfront before you enable this
feature
How to measure and control your ingestion and storage to reduce costs when
using this feature

７ Note

All sizes and pricing listed in this article are just examples to demonstrate how
estimation works. For a more accurate assessment based on your Azure Monitor
Log Analytics pricing model and Azure region, see Azure Monitor pricing .

Estimate data ingestion and storage costs

We recommend you use a predefined set of data written as logs in your Log Analytics
workspace. In the following example estimates, we'll look at billable data in the default
configuration

The predefined datasets for Azure Virtual Desktop Insights include:

Performance counters from the session hosts

Windows Event Logs from the session hosts
Azure Virtual Desktop diagnostics from the service infrastructure

Your data ingestion and storage costs depend on your environment size, health, and
usage. The example estimates we'll use in this article to calculate the cost ranges you
can expect are based on healthy virtual machines running light to power usage, based
on our virtual machine sizing guidelines, to calculate a range of data ingestion and
storage costs you could expect.

The light usage VM we'll be using in our example includes the following components:

4 vCPUs, 1 disk
16 sessions per day
An average session duration of 2 hours (120 minutes)
100 processes per session

The power usage VM we'll be using in our example includes the following components:

6 vCPUs, 1 disk
6 sessions per day
Average session duration of 4 hours (240 minutes)
200 processes per session

Estimating performance counter ingestion

Performance counters show how the system resources are performing. Performance
counter data ingestion depends on your environment size and usage. In most cases,
performance counters should make up 80 to 99% of your data ingestion for Azure
Virtual Desktop Insights.

Before you start estimating, it’s important that you understand that each performance
counter sends data at a specific frequency. We set a default sample rate-per-minute
(you can also edit this rate in your settings), but that rate will be applied at different
multiplying factors depending on the counter. The following factors affect the rate:

For the per virtual machine (VM) factor, each counter sends data per VM in your
environment at the default sample rate per minute while the VM is running. You
can estimate the number of records these counters send per day by multiplying
the default sample rate per minute by the number of VMs in your environment,
then multiplying that number by the average VM running time per day.

To summarize:

Default sample rate per minute × number of CPU cores in the VM SKU × number
of VMs × average VM running time per day = number of records sent per day

For the per CPU factor, each counter sends at the default sample rate per minute
per vCPU in each VM in your environment while the VM is running. You can
estimate the number of records the counters will send per day by multiplying the
 default sample rate per minute by the number of CPU cores in the VM SKU, then
multiplying that number by the number of minutes the VM runs and the number
of VMs in your environment.

To summarize:

Default sample rate per minute × number of CPU cores in the VM SKU × number
of minutes the VM runs × number of VMs = number of records sent per day

For the per disk factor, each counter sends data at the default sample rate for each
disk in each VM in your environment. The number of records these counters will
send per day equals the default sample rate per minute multiplied by number of
disks in the VM SKU, multiplied by 60 minutes per hour, and finally multiplied by
the average active hours for a VM.

To summarize:

Default sample rate per minute × number of disks in VM SKU × 60 minutes per
hour × number of VMs × average VM running time per day = number of records
sent per day

For the per session factor, each counter sends data at the default sample rate for
each session in your environment while the session is connected. You can estimate
the number of records these counters will send per day can by multiplying the
default sample rate per minute by the average number of sessions per day and the
average session duration.

To summarize:

Default sample rate per minute × sessions per day × average session duration =
number of records sent per day

For the per-process factor, each counter sends data at the default rate for each
process in each session in your environment. You can estimate the number of
records these counters will send per day by multiplying the default sample rate per
minute by the average number of sessions per day, then multiplying that by the
average session duration and the average number of processes per session.

To summarize:

Default sample rate per minute × sessions per day × average session duration ×
average number of processes per session = number of records sent per day

The following table lists the 20 performance counters Azure Virtual Desktop Insights
collects and their default rates:
 Counter name Default sample rate Frequency factor

Logical Disk(C:)\% free space 60 seconds Per disk

Logical Disk(C:)\Avg. Disk Queue Length 30 seconds Per disk

Logical Disk(C:)\Avg. Disk sec/Transfer 60 seconds Per disk

Logical Disk(C:)\Current Disk Queue Length 30 seconds Per disk

Memory(*)\Available Mbytes 30 seconds Per VM

Memory(*)\Page Faults/sec 30 seconds Per VM

Memory(*)\Pages/sec 30 seconds Per VM

Memory(*)\% Committed Bytes in Use 30 seconds Per VM

PhysicalDisk(*)\Avg. Disk Queue Length 30 seconds Per disk

PhysicalDisk(*)\Avg. Disk sec/Read 30 seconds Per disk

PhysicalDisk(*)\Avg. Disk sec/Transfer 30 seconds Per disk

PhysicalDisk(*)\Avg. Disk sec/Write 30 seconds Per disk

Processor Information(_Total)\% Processor Time 30 seconds Per core/CPU

Terminal Services(*)\Active Sessions 60 seconds Per VM

Terminal Services(*)\Inactive Sessions 60 seconds Per VM

Terminal Services(*)\Total Sessions 60 seconds Per VM

User Input Delay per Process(*)\Max Input Delay 30 seconds Per process

User Input Delay per Session(*)\Max Input Delay 30 seconds Per session

RemoteFX Network(*)\Current TCP RTT 30 seconds Per VM

RemoteFX Network(*)\Current UDP Bandwidth 30 seconds Per VM

If we estimate each record size to be 200 bytes, an example VM running a light

workload on the default sample rate would send roughly 90 megabytes of performance
counter data per day per VM. Meanwhile, an example VM running a power workload
would send roughly 130 megabytes of performance counter data per day per VM.
However, record size and environment usage can vary, so the megabytes per day your
deployment uses may be different.

To learn more about input delay performance counters, see User Input Delay
performance counters.
Estimating Windows Event Log ingestion
Windows Event Logs are data sources collected by either the Azure Monitor Agent or
the Log Analytics agent on Windows virtual machines. You can collect events from
standard logs like System and Application as well as custom logs created by applications
you need to monitor.

These are the default Windows Events for Azure Virtual Desktop Insights:

Application
Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin
Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
System
Microsoft-FSLogix-Apps/Operational
Microsoft-FSLogix-Apps/Admin

Windows Events sends events whenever the environment meets the terms of the event.
Machines in healthy states will send fewer events than machines in unhealthy states.
Since event count is unpredictable, we use a range of 1,000 to 10,000 events per VM per
day based on examples from healthy environments for this estimate. For example, if we
estimate each event record size in this example to be 1,500 bytes, this comes out to
roughly 2 to 15 megabytes of event data per day for the specified environment.

To learn more about configuring Windows event log data collection with the Azure
Monitor Agent, see How to collect events and performance counters from virtual
machines with Azure Monitor Agent.

To learn more about Windows events, see Windows event records properties.

Estimating diagnostics ingestion

The diagnostics service creates activity logs for both user and administrative actions.

These are the names of the activity logs the diagnostic counter tracks:

WVDCheckpoints
WVDConnections
WVDErrors
WVDFeeds
WVDManagement
WVDAgentHealthStatus
The service sends diagnostic information whenever the environment meets the terms
required to make a record. Since diagnostic record count is unpredictable, we use a
range of 500 to 1000 events per VM per day based on examples from healthy
environments for this estimate.

For example, if we estimate each diagnostic record size in this example to be 200 bytes,
then the total ingested data would be less than 1 MB per VM per day.

To learn more about the activity log categories, see Azure Virtual Desktop diagnostics.

Measure and manage your performance

counter data
Your true monitoring costs will depend on your environment size, usage, and health. To
understand how to measure data ingestion in your Log Analytics workspace, see Analyze
usage in Log Analytics workspace.

The performance counters the session hosts use is among the largest source of ingested
data for Azure Virtual Desktop Insights. This query will show all performance counters
you've enabled in the environment, not just the default ones for Azure Virtual Desktop
Insights. This information can help you understand which areas to target to reduce
costs.

Run the following custom query template for a Log Analytics workspace to track
frequency and megabytes ingested per performance counter over the last day:

７ Note

Make sure to replace the template's placeholder values with the values your
environment uses, otherwise the query won't work.

Kusto

let WVDHosts = dynamic(['Host1.MyCompany.com', 'Host2.MyCompany.com']);

Perf
| where TimeGenerated > ago(1d)
| where Computer in (WVDHosts)
| extend PerfCounter = strcat(ObjectName, ":", CounterName)
| summarize Records = count(TimeGenerated), InstanceNames =
dcount(InstanceName), Bytes=sum(_BilledSize) by PerfCounter
| extend Billed_MBytes = Bytes / (1024 * 1024), BytesPerRecord = Bytes /
Records
| sort by Records desc
Estimating total costs
Finally, let's estimate the total cost. In this example, let's say we come up with the
following results based on the example values in the previous sections:

Data source Size estimate per day (in megabytes)

Performance counters 90-130

Events 2-15

Azure Virtual Desktop diagnostics <1

In this example, the total ingested data for Azure Virtual Desktop Insights is between 92
to 145 megabytes per VM per day. In other words, every 31 days, each VM ingests
roughly 3 to 5 gigabytes of data.

Using the default Pay-as-you-go model for Log Analytics pricing , you can estimate the
Azure Monitor data collection and storage cost per month. Depending on your data
ingestion, you may also consider the Capacity Reservation model for Log Analytics
pricing.

Manage your data ingestion to reduce costs

This section will explain how to measure and manage data ingestion to reduce costs.

To learn about managing rights and permissions to the workbook, see Access control.

７ Note

Removing data points will impact their corresponding visuals in Azure Virtual
Desktop Insights.

Log Analytics settings

Here are some suggestions to optimize your Log Analytics settings to manage data
ingestion:

Use a designated Log Analytics workspace for your Azure Virtual Desktop
resources to ensure that Log Analytics only collects performance counters and
events for the virtual machines in your Azure Virtual Desktop deployment.
 Adjust your Log Analytics storage settings to manage costs. You can reduce the
retention period, evaluate whether a fixed storage pricing tier would be more cost-
effective, or set boundaries on how much data you can ingest to limit impact of an
unhealthy deployment. To learn more, see Azure Monitor Logs pricing details.

Remove excess data

Our default configuration is the only set of data we recommend for Azure Virtual
Desktop Insights. You always have the option to add additional data points and view
them in the Host Diagnostics: Host browser or build custom charts for them, however
added data will increase your Log Analytics cost. These can be removed for cost savings.

Measure and manage your performance counter data

Your true monitoring costs will depend on your environment size, usage, and health. To
understand how to measure data ingestion in your Log Analytics workspace, see Analyze
usage in Log Analytics workspace.

The performance counters the session hosts use will probably be your largest source of
ingested data for Azure Virtual Desktop Insights. The following custom query template
for a Log Analytics workspace can track frequency and megabytes ingested per
performance counter over the last day:

azure

let WVDHosts = dynamic(['Host1.MyCompany.com', 'Host2.MyCompany.com']);

Perf
| where TimeGenerated > ago(1d)
| where Computer in (WVDHosts)
| extend PerfCounter = strcat(ObjectName, ":", CounterName)
| summarize Records = count(TimeGenerated), InstanceNames =
dcount(InstanceName), Bytes=sum(_BilledSize) by PerfCounter
| extend Billed_MBytes = Bytes / (1024 * 1024), BytesPerRecord = Bytes /
Records
| sort by Records desc

７ Note

Make sure to replace the template's placeholder values with the values your
environment uses, otherwise the query won't work.

This query will show all performance counters you have enabled on the environment,
not just the default ones for Azure Virtual Desktop Insights. This information can help
you understand which areas to target to reduce costs, like reducing a counter’s
frequency or removing it altogether.

You can also reduce costs by removing performance counters. To learn how to remove
performance counters or edit existing counters to reduce their frequency, see
Configuring performance counters.

Manage Windows Event Logs

Windows Events are unlikely to cause a spike in data ingestion when all hosts are
healthy. An unhealthy host can increase the number of events sent to the log, but the
information can be critical to fixing the host's issues. We recommend keeping them. To
learn more about how to manage Windows Event Logs, see Configuring Windows Event
logs.

Manage diagnostics
Azure Virtual Desktop diagnostics should make up less than 1% of your data storage
costs, so we don't recommend removing them. To manage Azure Virtual Desktop
diagnostics, Use Log Analytics for the diagnostics feature.

Next steps
Learn more about Azure Virtual Desktop Insights at these articles:

Use Azure Virtual Desktop Insights to monitor your deployment.

Use the glossary to learn more about terms and concepts.
If you encounter a problem, check out our troubleshooting guide for help.
Check out Monitoring usage and estimated costs in Azure Monitor to learn more
about managing your monitoring costs.
Azure Virtual Desktop Insights glossary
Article • 05/01/2024

This article lists and briefly describes key terms and concepts related to Azure Virtual
Desktop Insights.

Alerts
Any active Azure Monitor alerts that you've configured on the subscription and
classified as severity 0 will appear in the Overview page. To learn how to set up alerts,
see Azure Monitor Log Alerts.

Available sessions
Available sessions shows the number of available sessions in the host pool. The service
calculates this number by multiplying the number of virtual machines (VMs) by the
maximum number of sessions allowed per virtual machine, then subtracting the total
sessions.

Client operating system (OS)

The client operating system (OS) shows which version of the OS end-users accessing
Azure Virtual Desktop resources are currently using. The client OS also shows which
version of the web (HTML) client and the full Remote Desktop client the users have. For
a full list of Windows OS versions, see Operating System Version.

Connection success
This item shows connection health. "Connection success" means that the connection
could reach the host, as confirmed by the stack on that virtual machine. A failed
connection means that the connection couldn't reach the host.

Daily active users (DAU)

The total number of users that have started a session in the last 24 hours.

Daily alerts
The total number of alerts triggered each day.

Daily connections and reconnections

The total number of connections and reconnections started or completed within the last
24 hours.

Daily connected hours

The total number of hours spent connected to a session across users in the last 24
hours.

Diagnostics and errors

When an error or alert appears in Azure Virtual Desktop Insights, it's categorized by
three things:

Activity type: this category is how the error is categorized by Azure Virtual Desktop
diagnostics. The categories are management activities, feeds, connections, host
registrations, errors, and checkpoints. Learn more about these categories at Use
Log Analytics for the diagnostics feature.

Kind: this category shows the error's location.

Errors marked as "service" or "ServiceError = TRUE" happened in the Azure
Virtual Desktop service.
Errors marked as "deployment" or tagged "ServiceError = FALSE" happened
outside of the Azure Virtual Desktop service.
To learn more about the ServiceError tag, see Common error scenarios.

Source: this category gives a more specific description of where the error
happened.

Diagnostics: the service role responsible for monitoring and reporting service
activity to let users observe and diagnose deployment issues.

RDBroker: the service role responsible for orchestrating deployment activities,

maintaining the state of objects, validating authentication, and more.

RDGateway: the service role responsible for handling network connectivity

between end-users and virtual machines.
 RDStack: a software component that's installed on your VMs to allow them to
communicate with the Azure Virtual Desktop service.

Client: software running on the end-user machine that provides the interface to
the Azure Virtual Desktop service. It displays the list of published resources and
hosts the Remote Desktop connection once you've made a selection.

Each diagnostics issue or error includes a message that explains what went wrong. To
learn more about troubleshooting errors, see Identify and diagnose Azure Virtual
Desktop issues.

Gateway region codes

Some metrics in Azure Virtual Desktop Insights list the gateway region a user connects
through. The gateway region is represented by a three or four-letter code that
corresponds to the Azure region where the gateway is located. The following table lists
the gateway region codes and their corresponding Azure regions:

ﾉ Expand table

Gateway region code Azure region

AUC Australia Central

AUC2 Australia Central 2

AUE Australia East

AUSE Australia Southeast

BRS Brazil South

CAC Canada Central

CAE Canada East

CHNO Switzerland North

CIN Central India

CUS Central US

EAS East Asia

EEU East Europe

EUS East US
Gateway region code Azure region

EUS2 East US 2

FRAS France South

FRC France Central

GEC Germany Central

GEN Germany North

GENE Germany Northeast

GWC Germany West Central

JPE Japan East

JPW Japan West

KRC Korea Central

KRS Korea South

KRS2 Korea South 2

NCUS North Central US

NEU North Europe

NOE Norway East

NOW Norway West

SAN South Africa North

SAW South Africa West

SCUS South Central US

SEA2 Southeast Asia 2

SEAS Southeast Asia

SIN South India

SWW Switzerland West

UAEC UAE Central

UAEN UAE North

UKN UK North
 Gateway region code Azure region

UKS UK South

UKS2 UK South 2

UKW UK West

WCUS West Central US

WEU West Europe

WIN West India

WUS West US

Input delay
"Input delay" in Azure Virtual Desktop Insights means the input delay per process
performance counter for each session. In the host performance page at
aka.ms/azmonwvdi , this performance counter is configured to send a report to the
service once every 30 seconds. These 30-second intervals are called "samples," and the
report the worst case in that window. The median and p95 values reflect the median and
95th percentile across all samples.

Under Input delay by host, you can select a session host row to filter all other visuals in
the page to that host. You can also select a process name to filter the median input
delay over time chart.

We put delays in the following categories:

Good: below 150 milliseconds.

Acceptable: 150-500 milliseconds.
Poor: 500-2,000 milliseconds (below 2 seconds).
Bad: over 2,000 milliseconds (2 seconds and up).

To learn more about how the input delay counter works, see User Input Delay
performance counters.

Monthly active users (MAU)

The total number of users that have started a session in the last 28 days. If you store
data for 30 days or less, you may see lower-than-expected MAU and Connection values
during periods where you have fewer than 28 days of data available.
Performance counters
Performance counters show the performance of hardware components, operating
systems, and applications.

The following table lists the recommended performance counters and time intervals that
Azure Monitor uses for Azure Virtual Desktop:

ﾉ Expand table

Performance counter name Time interval

Logical Disk(C:)\Avg. Disk Queue Length 30 seconds

Logical Disk(C:)\Avg. Disk sec/Transfer 60 seconds

Logical Disk(C:)\Current Disk Queue Length 30 seconds

Memory(*)\Available Mbytes 30 seconds

Memory(*)\Page Faults/sec 30 seconds

Memory(*)\Pages/sec 30 seconds

Memory(*)\% Committed Bytes in Use 30 seconds

PhysicalDisk(*)\Avg. Disk Queue Length 30 seconds

PhysicalDisk(*)\Avg. Disk sec/Read 30 seconds

PhysicalDisk(*)\Avg. Disk sec/Transfer 30 seconds

PhysicalDisk(*)\Avg. Disk sec/Write 30 seconds

Processor Information(_Total)\% Processor Time 30 seconds

Terminal Services(*)\Active Sessions 60 seconds

Terminal Services(*)\Inactive Sessions 60 seconds

Terminal Services(*)\Total Sessions 60 seconds

*User Input Delay per Process(*)\Max Input Delay 30 seconds

*User Input Delay per Session(*)\Max Input Delay 30 seconds

RemoteFX Network(*)\Current TCP RTT 30 seconds

RemoteFX Network(*)\Current UDP Bandwidth 30 seconds

Potential connectivity issues
Potential connectivity issues shows the hosts, users, published resources, and clients
with a high connection failure rate. Once you choose a "report by" filter, you can
evaluate the issue's severity by checking the values in these columns:

Attempts (number of connection attempts)

Resources (number of published apps or desktops)
Hosts (number of VMs)
Clients

For example, if you select the By user filter, you can check to see each user's connection
attempts in the Attempts column.

If you notice that a connection issue spans multiple hosts, users, resources, or clients, it's
likely that the issue affects the whole system. If it doesn't, it's a smaller issue that lower
priority.

You can also select entries to view additional information. You can view which hosts,
resources, and client versions were involved with the issue. The display will also show
any errors reported during the connection attempts.

Round-trip time (RTT)

Round-trip time (RTT) is an estimate of the connection's round-trip time between the
end-user’s location and the session host's Azure region. To see which locations have the
best latency, look up your desired location in the Azure Virtual Desktop Experience
Estimator tool .

Session history
The Sessions item shows the status of all sessions, connected and disconnected. Idle
sessions only shows the disconnected sessions.

Severity 0 alerts
The most urgent items that you need to take care of right away. If you don't address
these issues, they could cause your Azure Virtual Desktop deployment to stop working.

Time to connect
Time to connect is the time between when a user opens a resource to start their session
and when their desktop has loaded and is ready to use. For example, for a RemoteApp,
this is the time it takes to launch the application.

Time to connect has two stages:

Connection, which is how long it takes for the Azure service to route the user to a
session host.
"Logon," which is how long it takes for the service to perform tasks related to
signing in the user and establishing the session on the session host.

When monitoring time to connect, keep in mind the following things:

Time to connect is measured with the following checkpoints from Azure Virtual
Desktop service diagnostics data. The checkpoints Insights uses to determine when
the connection is established are different for a desktop versus a RemoteApp
scenario.

Begins: WVDConnection state = started

Ends: WVDCheckpoints Name = ShellReady (desktops); Name =

RdpShellAppExecuted (RemoteApp. For timing, consider the first app launch
only)

For example, Insights measures the time for a desktop experience to launch based on
how long it takes to launch Windows Explorer. Insights also measures the time for a
RemoteApp to launch based on the time taken to launch the first instance of the shell
app for a connection.

７ Note

If a user launches more than one RemoteApp, sometimes the shell app can execute
multiple times during a single connection. For an accurate measurement of time to
connect, you should only use the first execution checkpoint for each connection.

Establishing new sessions usually takes longer than reestablishing connections to

existing sessions due to differences in the "logon" process for new and established
connections.

The time it takes for the user to provide credentials is subtracted from their time to
connect to account for situations where a user either takes a while to enter
credentials or use alternative authentication methods to sign in.
When troubleshooting a high time to connect, Azure Monitor will break down total
connection time data into four components to help you identify how to reduce sign-in
time.

７ Note

The components in this section only show the primary connection stages. These
components can run in parallel, which means they won't add up to equal the total
time to connect. The total time to connect is a measurement that Azure Monitor
determines in a separate process.

The following flowchart shows the four stages of the sign-in process:

The flowchart shows the following four components:

User route: the time it takes from when the user selects the Azure Virtual Desktop
icon to launch a session to when the service identifies a host to connect to. High
network load, high service load, or unique network traffic routing can lead to high
routing times. To troubleshoot user route issues, look at your network paths.

Stack connected: the time it takes from when the service resolves a target session
host for the user to when the service establishes a connection between the session
host and the user’s remote client. Like user routing, the network load, server load,
or unique network traffic routing can affect connection time. For this component,
you'll also need to pay attention to your network routing. To reduce connection
time, make sure you've appropriately configured all proxy configurations on both
the client and session hosts, and that routing to the service is optimal.

Logon: the time it takes between when a connection to a host is established to

when the shell starts to load. Logon time includes several processes that can
contribute to high connection times. You can view data for the "logon" stage in
Insights to see if there are unexpected peaks in average times.

The "logon" process is divided into four stages:

Profiles: the time it takes to load a user’s profile for new sessions. How long
loading takes depends on user profile size or the user profile solutions you're
using (such as User Experience Virtualization). If you're using a solution that
 depends on network-stored profiles, excess latency can also lead to longer
profile loading times.

Group Policy Objects (GPOs): the time it takes to apply group policies to new
sessions. A spike in this area of the data is a sign that you have too many group
policies, the policies take too long to apply, or the session host is experiencing
resource issues. One thing you can do to optimize processing times is make
sure the domain controller is close to session hosts as possible.

Shell Start: the time it takes to launch the shell (usually explorer.exe).

FSLogix (Frxsvc): the time it takes to launch FSLogix in new sessions. A long
launch time may indicate issues with the shares used to host the FSLogix user
profiles. To troubleshoot these issues, make sure the shares are collocated with
the session hosts and appropriately scaled for the average number of users
signing in to the hosts. Another area you should look at is profile size. Large
profile sizes can slow down launch times.

Shell start to shell ready: the time from when the shell starts to load to when it's
fully loaded and ready for use. Delays in this phase can be caused by session host
overload (high CPU, memory, or disk activity) or configuration issues.

User report
The user report page lets you view a specific user’s connection history and diagnostic
information. Each user report shows usage patterns, user feedback, and any errors users
have encountered during their sessions. Most smaller issues can be resolved with user
feedback. If you need to dig deeper, you can also filter information about a specific
connection ID or period of time.

Users per core

This is the number of users in each virtual machine core. Tracking the maximum number
of users per core over time can help you identify whether the environment consistently
runs at a high, low, or fluctuating number of users per core. Knowing how many users
are active will help you efficiently resource and scale the environment.

Windows Event Logs

Windows Event Logs are data sources collected by either the Azure Monitor Agent or
the Log Analytics agent on Windows virtual machines. You can collect events from
standard logs like System and Application as well as custom logs created by applications
you need to monitor.

The following table lists the required Windows Event Logs for Azure Virtual Desktop
Insights:

ﾉ Expand table

Event name Event type

Application Error and Warning

Microsoft-Windows-TerminalServices- Error, Warning, and

RemoteConnectionManager/Admin Information

Microsoft-Windows-TerminalServices- Error, Warning, and

LocalSessionManager/Operational Information

System Error and Warning

Microsoft-FSLogix-Apps/Operational Error, Warning, and

Information

Microsoft-FSLogix-Apps/Admin Error, Warning, and

Information

Next steps
To get started, see Use Azure Virtual Desktop Insights to monitor your deployment.
To estimate, measure, and manage your data storage costs, see Estimate Azure
Monitor costs.
If you encounter a problem, check out our troubleshooting guide for help and
known issues.

You can also set up Azure Advisor to help you figure out how to resolve or prevent
common issues. Learn more at Introduction to Azure Advisor.

If you need help or have any questions, check out our community resources:

Ask questions or make suggestions to the community at the Azure Virtual Desktop
TechCommunity .

To learn how to leave feedback, see Troubleshooting overview, feedback, and

support for Azure Virtual Desktop.
You can also leave feedback for Azure Virtual Desktop at the Azure Virtual Desktop
feedback hub
Use cases for Azure Virtual Desktop
Insights
Article • 06/28/2024

Using Azure Virtual Desktop Insights can help you understand your deployments of
Azure Virtual Desktop. It can help with checks such as which client versions are
connecting, opportunities for cost saving, or knowing if you have resource limitations or
connectivity issues. If you make changes, you can continually validate that the changes
have the intended effect, and iterate if needed. This article provides some use cases for
Azure Virtual Desktop Insights and example scenarios using the Azure portal.

Prerequisites
An existing host pool with session hosts, and a workspace configured to use Azure
Virtual Desktop Insights.

You need to have active sessions for a period of time before you can make
informed decisions.

Connectivity
Connectivity issues can have a severe impact on the quality and reliability of the end-
user experience with Azure Virtual Desktop. Azure Virtual Desktop Insights can help you
identify connectivity issues and understand where improvements can be made.

High latency
High latency can cause poor quality and slowness of a remote session. Maintaining ideal
interaction times requires latency to generally be below 100 milliseconds, with a session
broadly becoming of low quality over 200 ms. Azure Virtual Desktop Insights can help
pinpoint gateway regions and users impacted by latency by looking at the round-trip
time, so that you can more easily find cases of user impact that are related to
connectivity.

To view round-trip time:

1. Sign in to Azure Virtual Desktop Insights in the Azure portal by browsing to

https://aka.ms/avdi .
2. From the drop-down lists, select one or more subscriptions, resource groups, host
pools, and specify a time range, then select the Connection Performance tab.

3. Review the section for Round-trip time and focus on the table for RTT by gateway
region and the graph RTT median and 95th percentile for all regions. In the
example below, most median latencies are under the ideal threshold of 100 ms,
but several are higher. In many cases, the 95th percentile (p95) is substantially
higher than the median, meaning that there are some users experiencing periods
of higher latency.

 Tip

You can find a list of the gateway region codes and their corresponding Azure
region at Gateway region codes.

4. For the table RTT by gateway region, select Median, until the arrow next to it
points down, to sort by the median latency in descending order. This order
highlights gateways your users are reaching with the highest latency that could be
having the most impact. Select a gateway to view the graph of its RTT median and
95th percentile, and filter the list of 20 top users by RTT median to the specific
region.

In this example, the SAN gateway region has the highest median latency, and the
graph indicates that over time users are substantially over the threshold for poor
connection quality.
 

The list of users can be used to identify who is being impacted by these issues. You
can select the magnifying glass icon in the Details column to drill down further
into the data.

There are several possibilities for why latency might be higher than anticipated for some
users, such as a poor Wi-Fi connection, or issues with their Internet Service Provider
(ISP). However, with a list of impacted users, you have the ability to proactively contact
and attempt to resolve end-user experience problems by understanding their network
connectivity.

You should periodically review the round-trip time in your environment and the overall
trend to identify potential performance concerns.

Connection reliability
The reliability of a connection can have a significant impact on the end-user experience.
Azure Virtual Desktop Insights can help you understand disconnection events and
correlations between errors that affect end users.

Connection reliability provides two main views to help you understand the reliability of
your connections:
 A graph showing the number of disconnections over the concurrent connections in
a given time range. This graph enables you to easily detect clusters of disconnects
that are impacting connection reliability.

A table of the top 20 disconnection events, listing the top 20 specific time intervals
where the most disconnections occurred. You can select a row in the table to
highlight specific segments of the connection graph to view the disconnections
that occurred at those specific time segments.

You can also analyze connection errors by different pivots to determine the root cause
of disconnects and improve connection reliability. Here are the available pivots:

ﾉ Expand table

Pivot Description

Subscription Groups events by the subscription that contains related resources. When more
than one subscription has Azure Virtual Desktop resources, it helps to determine
whether issues are scoped to one or more subscriptions.

Resource Groups events by the resource group that contains related resources.
group

Host pool Groups events by host pool.

Transport Groups events by the network transport layer used for connections, either UDP
or TCP.

For UDP, valid values are Relay , ShortpathPublic , and ShortpathPrivate .

For TCP, valid values are NotUsed and <>

Session host Groups events by session host.

Session host Groups events by the IPv4 address of each session host, collated by the first two
IP/16 octets, for example (1.2.3.4).

Client type Groups events by the client used to connect to a remote session, including
platform and processor architecture of the connecting device.

Client version Groups events by the version number of Windows App or the Remote Desktop
app used to connect to a remote session.

Client IP/16 Groups events by the IPv4 address of each client device connecting to a remote
session, collated by the first two octets, for example (1.2.3.4).

Gateway Groups events by the Azure Virtual Desktop gateway region a client device
region connected through. For a list of gateway regions, see Gateway region codes.
To view connection reliability information:

1. Sign in to Azure Virtual Desktop Insights in the Azure portal by browsing to

https://aka.ms/avdi .

2. From the drop-down lists, select one or more subscriptions, resource groups, host
pools, and specify a time range, then select the Connection Reliability tab. The
table and graph populate with the top 20 disconnection events and a graph of
concurrent connections and disconnections over time.

3. In the graph, review the number of disconnections (shown in red) over the count of
concurrent connections (shown in green).

4. In the table, review the top 20 disconnection events. Select a row to highlight the
specific time segment and neighboring time segments in the graph when the
disconnections occurred.

5. When you select a row in the table, you can select one of the pivots to analyze the
connection errors in further detail. You might need to scroll down to see all the
relevant data available. By reviewing the connection errors across different pivots,
you can look for commonalities of disconnections.
 

6. Select a specific time slice to view its details with the full list of connections in the
time slice, their start and end dates, their duration, an indication of their success or
failure, and the impacted user and session host.

7. To see the detailed history of a specific connection, select an entry in the Details
section of a time slice. Selecting an entry generates a list of steps in the connection
and any errors.
 

Session host performance

Issues with session hosts, such as where session hosts have too many sessions to cope
with the workload end-users are running, can be a major cause of poor end-user
experience. Azure Virtual Desktop Insights can provide detailed information about
resource utilization and user input delay to allow you to more easily and quickly find if
users are impacted by limitations for resources like CPU or memory.

To view session host performance:

1. Sign in to the Azure portal .

2. In the search bar, type Azure Virtual Desktop and select the matching service entry
to go to the Azure Virtual Desktop overview.

3. Select Host pools, then select the name of the host pool for which you want to
view session host performance.

4. Select Insights, specify a time range, then select the Host Performance tab.

5. Review the table for Input delay by host and the graph Median input delay over
time to find a summary of the median and 95th percentile user input delay values
 for each session host in the host pool. Ideally the user input delay for each host
should be below 100 milliseconds, and a lower value is better.

In the following example, the session hosts have a reasonable median user input
delay, but occasionally values peak above the threshold of 100 ms, implying
potential for impacting end-users.

6. If you find higher than expected user input delay (>100 ms), it can be useful to
then look at the aggregated statistics for CPU, memory, and disk activity for the
session hosts to see if there are periods of higher-than-expected utilization. The
graphs for Host CPU and memory metrics, Host disk timing metrics, and Host
disk queue length show either the aggregate across session hosts, or a selected
session host's resource metrics.

In this example, there are some periods of higher disk read times that correlate
with the higher user input delay.


 7. For more information about a specific session host, select the Host Diagnostics
tab.

8. Review the section for Performance counters to see a quick summary of any
devices that crossed the specified thresholds for:

Available MBytes (available memory)

Page Faults/sec
CPU Utilization
Disk Space
Input Delay per Session

Selecting a parameter allows you to drill down and see the trend for a selected
session host. In the following example, one session host had higher CPU usage (>
60%) for the selected duration (1 minute).

In cases where a session host has extended periods of high resource utilization, it’s
worth considering increasing the Azure VM size of the session host to better
accommodate user workloads.

Client version usage

A common source of issues for end-users of Azure Virtual Desktop is using older clients
that might either be missing new or updated features, or contain known issues that are
resolved with more recent versions. Azure Virtual Desktop Insights contains a list of the
different clients in use, and identifying clients that might be out of date.

To view a list of users with outdated clients:

 1. Sign in to Azure Virtual Desktop Insights in the Azure portal by browsing to
https://aka.ms/avdi .

2. From the drop-down lists, select one or more subscriptions, resource groups, host
pools, and specify a time range, then select the Clients tab.

3. Review the section for Users with potentially outdated clients (all activity types).
A summary table shows the highest version level of each client found connecting
to your environment (marked as Newest) in the selected time range, and the count
of users using outdated versions (in parentheses).

In the below example, the newest version of the Microsoft Remote Desktop Client
for Windows (MSRDC) is 1.2.4487.0, and 993 users are currently using a version
older. It also shows a count of connections and the number of days behind the
latest version the older clients are.

4. To find more information, expand a client for a list of users using an outdated
version of that client, their versions, and the date last seen connecting with that
version. You can export the data using the button in the top right-hand corner of
the table for communication with the users or monitor the propagation of updates.

You should periodically review the versions of clients in use to ensure your users are
getting the best experience.
Cost saving opportunities
Understanding the utilization of session hosts can help illustrate where there's potential
to reduce spend by using a scaling plan, resize virtual machines, or reduce the number
of session hosts in the pool. Azure Virtual Desktop Insights can provide visibility into
usage patterns to help you make the most informed decisions about how best to
manage your resources based on real user usage.

Session host utilization

Knowing when your session hosts are in peak demand, or when there are few or no
sessions can help you make decisions about how to manage your session hosts. You can
use autoscale to scale session hosts based on usage patterns. Azure Virtual Desktop
Insights can help you identify broad patterns of user activity across multiple host pools.
If you find opportunities to scale session hosts, you can use this information to create a
scaling plan.

To view session host utilization:

1. Sign in to Azure Virtual Desktop Insights in the Azure portal by browsing to

https://aka.ms/avdi .

2. From the drop-down lists, select one or more subscriptions, resource groups, host
pools, and specify a time range, then select the Utilization tab.

3. Review the Session history chart, which displays the number of active and idle
(disconnected) sessions over time. Identify any periods of high activity, and periods
of low activity from the peak user session count and the time period in which the
peaks occur. If you find a regular, repeated pattern of activity, it usually implies
there's a good opportunity to implement a scaling plan.

In this example, the graph shows the number of users sessions over the course of a
week. Peaks occur at around midday on weekdays, and there's a noticeable lack of
activity over the weekend. This pattern suggests that there's an opportunity to
scale session hosts to meet demand during the week, and reduce the number of
session hosts over the weekend.
 

4. Use the Session host count chart to note the average number of active session
hosts over time, and particularly the average number of session hosts that are idle
(no sessions). Ideally session hosts should be actively supporting connected
sessions and active workloads, and powered off when not in use by using a scaling
plan. You'll likely need to keep a minimum number of session hosts powered on to
ensure availability for users at irregular times, so understanding usage over time
can help find an appropriate number of session hosts to keep powered on as a
buffer.

Even if a scaling plan is ultimately not a good fit for your usage patterns, there's
still an opportunity to balance the total number of session hosts available as a
buffer by analyzing the session demand and potentially reducing the number of
idle devices.

In this example, the graph shows there are long periods over the course of a week
where idle session hosts are powered on and therefore increasing costs.
 

5. Use the drop-down lists to reduce the scope to a single host pool and repeat the
analysis for session history and session host count. At this scope, you can identify
patterns that are specific to the session hosts in a particular host pool to help
develop a scaling plan for that host pool.

In this example, the first graph shows the pattern of user activity throughout a
week between 6AM and 10PM. On the weekend, there's minimal activity. The
second graph shows the number of active and idle session hosts throughout the
same week. There are long periods of time where idle session hosts are powered
on. Use this information to help determine optimal ramp-up and ramp-down times
for a scaling plan.


 

6. Create a scaling plan based on the usage patterns you identify, then assign the
scaling plan to your host pool.

After a period of time, you should repeat this process to validate that your session hosts
are being utilized effectively. You can make changes to the scaling plan if needed, and
continue to iterate until you find the optimal scaling plan for your usage patterns.

Next steps
Create a scaling plan

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Enable Insights to monitor Azure Virtual
Desktop
Article • 04/09/2024

Azure Virtual Desktop Insights is a dashboard built on Azure Monitor Workbooks that
helps IT professionals understand their Azure Virtual Desktop environments. This topic
will walk you through how to set up Azure Virtual Desktop Insights to monitor your
Azure Virtual Desktop environments.

） Important

The Log Analytics Agent is currently being deprecated . If you use the Log
Analytics Agent, you'll eventually need to migrate to the Azure Monitor Agent by
August 31, 2024.

Prerequisites
Before you start using Azure Virtual Desktop Insights, you'll need to set up the following
things:

All Azure Virtual Desktop environments you monitor must be based on the latest
release of Azure Virtual Desktop that’s compatible with Azure Resource Manager.

At least one configured Log Analytics Workspace. Use a designated Log Analytics
workspace for your Azure Virtual Desktop session hosts to ensure that
performance counters and events are only collected from session hosts in your
Azure Virtual Desktop deployment.

Enable data collection for the following things in your Log Analytics workspace:
Diagnostics from your Azure Virtual Desktop environment
Recommended performance counters from your Azure Virtual Desktop session
hosts
Recommended Windows Event Logs from your Azure Virtual Desktop session
hosts

The data setup process described in this article is the only one you'll need to
monitor Azure Virtual Desktop. You can disable all other items sending data to
your Log Analytics workspace to save costs.
 Anyone monitoring Azure Virtual Desktop Insights for your environment will also
need to have the following Azure role-based access control (RBAC) roles assigned
as a minimum:
Desktop Virtualization Reader assigned on the resource group or subscription
where the host pools, workspaces and session hosts are.
Log Analytics Reader assigned on any Log Analytics workspace used with Azure
Virtual Desktop Insights.

You can also create a custom role to reduce the scope of assignment on the Log
Analytics workspace. For more information, see Manage access to Log Analytics
workspaces.

７ Note

Read access only lets admins view data. They'll need different permissions to
manage resources in the Azure Virtual Desktop portal.

Log Analytics settings

To start using Azure Virtual Desktop Insights, you'll need at least one Log Analytics
workspace. Use a designated Log Analytics workspace for your Azure Virtual Desktop
session hosts to ensure that performance counters and events are only collected from
session hosts in your Azure Virtual Desktop deployment. If you already have a
workspace set up, skip ahead to Set up the configuration workbook. To set one up, see
Create a Log Analytics workspace in the Azure portal.

７ Note

Standard data storage charges for Log Analytics will apply. To start, we recommend
you choose the pay-as-you-go model and adjust as you scale your deployment and
take in more data. To learn more, see Azure Monitor pricing .

Set up the configuration workbook

If it's your first time opening Azure Virtual Desktop Insights, you'll need to set up Azure
Virtual Desktop Insights for your Azure Virtual Desktop environment. To configure your
resources:

1. Open Azure Virtual Desktop Insights in the Azure portal at aka.ms/avdi .

 2. Select Workbooks, then select Check Configuration.
3. Select an Azure Virtual Desktop environment to configure from the drop-down
lists for Subscription, Resource Group, and Host Pool.

The configuration workbook sets up your monitoring environment and lets you check
the configuration after you've finished the setup process. It's important to check your
configuration if items in the dashboard aren't displaying correctly, or when the product
group publishes updates that require new settings.

Resource diagnostic settings

To collect information on your Azure Virtual Desktop infrastructure, you'll need to
enable several diagnostic settings on your Azure Virtual Desktop host pools and
workspaces (this is your Azure Virtual Desktop workspace, not your Log Analytics
workspace). To learn more about host pools, workspaces, and other Azure Virtual
Desktop resource objects, see our environment guide.

You can learn more about Azure Virtual Desktop diagnostics and the supported
diagnostic tables at Send Azure Virtual Desktop diagnostics to Log Analytics.

To set your resource diagnostic settings in the configuration workbook:

1. Select the Resource diagnostic settings tab in the configuration workbook.

2. Select Log Analytics workspace to send Azure Virtual Desktop diagnostics.

Host pool diagnostic settings

To set up host pool diagnostics using the resource diagnostic settings section in the
configuration workbook:

1. Under Host pool, check to see whether Azure Virtual Desktop diagnostics are
enabled. If they aren't, an error message will appear that says "No existing
diagnostic configuration was found for the selected host pool." You'll need to
enable the following supported diagnostic tables:

Management Activities
Feed
Connections
Errors
Checkpoints
HostRegistration
AgentHealthStatus
 ７ Note

If you don't see the error message, you don't need to do steps 2 through 4.

2. Select Configure host pool.

3. Select Deploy.

4. Refresh the configuration workbook.

Workspace diagnostic settings

To set up workspace diagnostics using the resource diagnostic settings section in the
configuration workbook:

1. Under Workspace, check to see whether Azure Virtual Desktop diagnostics are
enabled for the Azure Virtual Desktop workspace. If they aren't, an error message
will appear that says "No existing diagnostic configuration was found for the
selected workspace." You'll need to enable the following supported diagnostics
tables:

Management Activities
Feed
Errors
Checkpoints

７ Note

If you don't see the error message, you don't need to do steps 2-4.

2. Select Configure workspace.

3. Select Deploy.

4. Refresh the configuration workbook.

Session host data settings

You can use either the Azure Monitor Agent or the Log Analytics agent to collect
information on your Azure Virtual Desktop session hosts. We recommend you use the
Azure Monitor Agent as the Log Analytics Agent will be deprecated on August 31st,
2024. Select the relevant tab for your scenario.
Azure Monitor Agent

To collect information on your Azure Virtual Desktop session hosts, you must
configure a Data Collection Rule (DCR) to collect performance data and Windows
Event Logs, associate the session hosts with the DCR, install the Azure Monitor
Agent on all session hosts in host pools you're collecting data from, and ensure the
session hosts are sending data to a Log Analytics workspace.

The Log Analytics workspace you send session host data to doesn't have to be the
same one you send diagnostic data to.

To configure a DCR and select a Log Analytics workspace destination using the
configuration workbook:

1. From the Azure Virtual Desktop overview page, select Host pools, then select
the pooled host pool you want to monitor.

2. From the host pool overview page, select Insights, then select Open
Configuration Workbook.

3. Select the Session host data settings tab in the configuration workbook.

4. For Workspace destination, select the Log Analytics workspace you want to
send session host data to.

5. For DCR resource group, select the resource group in which you want to
create the DCR.

6. Select Create data collection rule to automatically configure the DCR using
the configuration workbook. This option only appears once you've selected a
workspace destination and a DCR resource group.

Session hosts

You need to install the Azure Monitor Agent on all session hosts in the host pool
and send data from those hosts to your selected Log Analytics workspace. If the
session hosts don't all meet the requirements, you'll see a Session hosts section at
the top of Session host data settings with the message Some hosts in the host
pool are not sending data to the selected Log Analytics workspace.

７ Note
 If you don't see the Session hosts section or error message, all session hosts
are set up correctly. Automated deployment is limited to 1000 session hosts or
fewer.

To set up your remaining session hosts using the configuration workbook:

1. Select the DCR you're using for data collection.

2. Select Deploy association to create the DCR association.

3. Select Add extension to deploy the Azure Monitor Agent to all the session
hosts in the host pool.

4. Select Add system managed identity to configure the required managed

identity.

5. Once the agent has installed and the managed identity has been added,
refresh the configuration workbook.

７ Note

For larger host pools (over 1,000 session hosts) or if you encounter
deployment issues, we recommend you install the Azure Monitor Agent when
you create a session host by using an Azure Resource Manager template.

Optional: configure alerts

Azure Virtual Desktop Insights allows you to monitor Azure Monitor alerts happening
within your selected subscription in the context of your Azure Virtual Desktop data.
Azure Monitor alerts are an optional feature on your Azure subscriptions, and you need
to set them up separately from Azure Virtual Desktop Insights. You can use the Azure
Monitor alerts framework to set custom alerts on Azure Virtual Desktop events,
diagnostics, and resources. To learn more about Azure Monitor alerts, see Azure Monitor
Log Alerts.

Diagnostic and usage data

Microsoft automatically collects usage and performance data through your use of the
Azure Virtual Desktop Insights service. Microsoft uses this data to improve the quality,
security, and integrity of the service.
To provide accurate and efficient troubleshooting capabilities, the collected data
includes the portal session ID, Microsoft Entra user ID, and the name of the portal tab
where the event occurred. Microsoft doesn't collect names, addresses, or other contact
information.

For more information about data collection and usage, see the Microsoft Online Services
Privacy Statement .

７ Note

To learn about viewing or deleting your personal data collected by the service, see
Azure Data Subject Requests for the GDPR. For more information about GDPR, see
the GDPR section of the Service Trust portal .

Next steps
Now that you’ve configured Azure Virtual Desktop Insights for your Azure Virtual
Desktop environment, here are some resources that might help you start monitoring
your environment:

Check out our glossary to learn more about terms and concepts related to Azure
Virtual Desktop Insights.
To estimate, measure, and manage your data storage costs, see Estimate Azure
Virtual Desktop Insights costs.
If you encounter a problem, check out our troubleshooting guide for help and
known issues.
To see what's new in each version update, see What's new in Azure Virtual Desktop
Insights.
Analyze connection quality in Azure
Virtual Desktop
Article • 06/12/2023

） Important

The Connection Graphics Data Logs are currently in preview. See the Supplemental
Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure
features that are in beta, preview, or otherwise not yet released into general
availability.

Azure Virtual Desktop helps users host client sessions on their session hosts running on
Azure. When a user starts a session, they connect from their local device over a network
to access the session host. It's important that the user experience feels as much like a
local session on a physical device as possible. To understand the network connectivity
from a user's device to a session host, see Understanding Azure Virtual Desktop network
connectivity.

You can analyze connection quality in your Azure Virtual Desktop deployment by using
Azure Log Analytics. In this article, we'll talk about how you can measure your
connection network and connection graphics to improve the connection quality of your
end-users.

Connection network and graphics data

The connection network and graphics data that Azure Log Analytics collects can help
you discover areas that impact your end-user's graphical experience. The service collects
data for reports regularly throughout the session. You can also use RemoteFX network
performance counters to get some graphics-related performance data from your
deployment, but they're not quite as comprehensive as Azure Log Analytics. Azure
Virtual Desktop connection network data reports have the following advantages over
RemoteFX network performance counters:

Each record is connection-specific and includes the correlation ID of the

connection that can be tied back to the user.

The round trip time measured in this table is protocol-agnostic and will record the
measured latency for Transmission Control Protocol (TCP) or User Datagram
Protocol (UDP) connections.
Connection network data
The network data you collect for your data tables using the NetworkData table includes
the following information:

The estimated available bandwidth (kilobytes per second) is the average

estimated available network bandwidth during each connection time interval.

The estimated round trip time (milliseconds) is the average estimated round trip
time during each connection time interval. Round trip time is how long a network
request takes to go from the end-user's device to the session host through the
network, then return from the session host to the end-user device.

The Correlation ID is the ActivityId of a specific Azure Virtual Desktop connection

that's assigned to every diagnostic within that connection.

The time generated is a timestamp in Coordinated Universal Time (UTC) time that
marks when an event the data counter is tracking happened on the virtual machine
(VM). All averages are measured by the time window that ends at the marked
timestamp.

The Resource ID is a unique ID assigned to the Azure Virtual Desktop host pool
associated with the data the diagnostics service collects for this table.

The source system, Subscription ID, Tenant ID, and type (table name).

Frequency
The service generates these network data points every two minutes during an active
session.

Connection graphics data (preview)

You should consult the ConnectionGraphicsData table (preview) when users report slow
or choppy experiences in their Azure Virtual Desktop sessions. The
ConnectionGraphicsData table will give you useful information whenever graphical
indicators, end-to-end delay, and dropped frames percentage fall below the "healthy"
threshold for Azure Virtual Desktop. This table will help your admins track and
understand factors across the server, client, and network that could be contributing to
the user's slow or choppy experience. However, while the ConnectionGraphicsData table
is a useful tool for troubleshooting poor user experience, since it's not regularly
populated throughout a session, it isn't a reliable environment baseline.
The Graphics table only captures performance data from the Azure Virtual Desktop
graphics stream. This table doesn't capture performance degradation or "slowness"
caused by application-specific factors or the virtual machine (CPU or storage
constraints). You should use this table with other VM performance metrics to determine
if the delay is caused by the remote desktop service (graphics and network) or
something inherent in the VM or app itself.

The graphics data you collect for your data tables includes the following information:

The Last evaluated connection time interval is the two minutes leading up to the
time graphics indicators fell below the quality threshold.

The end-to-end delay (milliseconds) is the delay in the time between when a
frame is captured on the server until the time frame is rendered on the client,
measured as the sum of the encoding delay on the server, network delay, the
decoding delay on the client, and the rendering time on the client. The delay
reflected is the highest (worst) delay recorded in the last evaluated connection
time interval.

The compressed frame size (bytes) is he compressed size of the frame with the
highest end-to-end delay in the last evaluated connection time interval.

The encoding delay on the server (milliseconds) is the time it takes to encode the
frame with the highest end-to-end delay in the last evaluated connection time
interval on the server.

The decoding delay on the client (milliseconds) is the time it takes to decode the
frame with the highest end-to-end delay in the last evaluated connection time
interval on the client.

The rendering delay on the client (milliseconds) is the time it takes to render the
frame with the highest end-to-end delay in the last evaluated connection time
interval on the client.

The percentage of frames skipped is the total percentage of frames dropped by

these three sources:
The client (slow client decoding).
The network (insufficient network bandwidth).
The server (the server is busy).

The recorded values (one each for client, server, and network) are from the second
with the highest dropped frames in the last evaluated connection time interval.
 The estimated available bandwidth (kilobytes per second) is the average
estimated available network bandwidth during the second with the highest end-
to-end delay in the time interval.

The estimated round trip time (milliseconds), which is the average estimated
round trip time during the second with the highest end-to-end delay in the time
interval. Round trip time is how long a network request takes to go from the end-
user's device to the session host through the network, then return from the session
host to the end-user device.

The Correlation ID, which is the ActivityId of a specific Azure Virtual Desktop
connection that's assigned to every diagnostic within that connection.

The time generated, which is a timestamp in UTC time that marks when an event
the data counter is tracking happened on the virtual machine (VM). All averages
are measured by the time window that ends that the marked timestamp.

The Resource ID is a unique ID assigned to the Azure Virtual Desktop host pool
associated with the data the diagnostics service collects for this table.

The source system, Subscription ID, Tenant ID, and type (table name).

Frequency
In contrast to other diagnostics tables that report data at regular intervals throughout a
session, the frequency of data collection for the graphics data varies depending on the
graphical health of a connection. The table won't record data for "Good" scenarios, but
will recording if any of the following metrics are recorded as "Poor" or "Okay," and the
resulting data will be sent to your storage account. Data only records once every two
minutes, maximum. The metrics involved in data collection are listed in the following
table:

Metric Bad Okay Good

Percentage of dropped frames with low frame rate Greater than 10%–15% less than
(less than 15 fps) 15% 10%

Percentage of dropped frames with high frame rage Greater than 20%–50% Less than
(greater than 15 fps) 50% 20%

End-to-end delay per frame Greater than 150 ms– Less than
300 ms 300 ms 150 ms

７ Note
 For end-to-end delay per frame, if any frame in a single second is delayed by over
300 ms, the service registers it as "Bad". If all frames in a single second take
between 150 ms and 300 ms, the service marks it as "Okay."

Next steps
Learn more about how to monitor and run queries about connection quality issues
at Monitor connection quality.
Troubleshoot connection and latency issues at Troubleshoot connection quality for
Azure Virtual Desktop.
To check the best location for optimal latency, see the Azure Virtual Desktop
Experience Estimator tool .
For pricing plans, see Azure Log Analytics pricing.
To get started with your Azure Virtual Desktop deployment, check out our tutorial.
To learn about bandwidth requirements for Azure Virtual Desktop, see
Understanding Remote Desktop Protocol (RDP) Bandwidth Requirements for Azure
Virtual Desktop.
To learn about Azure Virtual Desktop network connectivity, see Understanding
Azure Virtual Desktop network connectivity.
Learn how to use Azure Virtual Desktop Insights at Get started with Azure Virtual
Desktop Insights.
Collect and query connection quality
data
Article • 01/06/2023

） Important

The Connection Graphics Data Logs are currently in preview. See the Supplemental
Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure
features that are in beta, preview, or otherwise not yet released into general
availability.

Connection quality is essential for good user experiences, so it's important to be able to
monitor connections for potential issues and troubleshoot problems as they arise. Azure
Virtual Desktop offers tools like Log Analytics that can help you monitor your
deployment's connection health. This article will show you how to configure your
diagnostic settings to let you collect connection quality data and query data for specific
parameters.

Prerequisites
To start collecting connection quality data, you’ll need to set up a Log Analytics
workspace.

７ Note

Normal storage charges for Log Analytics will apply. Learn more at Azure Monitor
Logs pricing details.

Configure diagnostics settings

To check and modify your diagnostics settings in the Azure portal:

1. Sign in to the Azure portal, then go to Azure Virtual Desktop and select Host
pools.

2. Select the host pool you want to collect network data for.
 3. Select Diagnostic settings, then create a new setting if you haven't configured
your diagnostic settings yet. If you've already configured your diagnostic settings,
select Edit setting.

4. Select allLogs if you want to collect data for all tables. The allLogs parameter will
automatically add new tables to your data table in the future.

If you'd prefer to view more specific tables, first select Network Data Logs and
Connection Graphics Data Logs Preview, then select the names of the other tables
you want to see.

5. Select where you want to send the collected data. Azure Virtual Desktop Insights
users should select a Log Analytics workspace.

6. Select Save to apply your changes.

7. Repeat this process for all other host pools you want to measure.

8. To check network data, return to the host pool's resource page, select Logs, then
run one of the queries in Sample queries for Azure Log Analytics. In order for your
query to get results, your host pool must have active users who've connected to
sessions before. Keep in mind that it can take up to 15 minutes for network data to
appear in the Azure portal.

Sample queries for Azure Log Analytics:

network data
In this section, we have a list of queries that will help you review connection quality
information. You can run queries in the Log Analytics query editor.

７ Note

For each example, replace the userupn variable with the UPN of the user you want
to look up.

Query average RTT and bandwidth

To look up the average round trip time and bandwidth:

Kusto
 // 90th, 50th, 10th Percentile for RTT in 10 min increments
WVDConnectionNetworkData
| summarize
RTTP90=percentile(EstRoundTripTimeInMs,90),RTTP50=percentile(EstRoundTripTim
eInMs,50),RTTP10=percentile(EstRoundTripTimeInMs,10) by
bin(TimeGenerated,10m)
| render timechart
// 90th, 50th, 10th Percentile for BW in 10 min increments
WVDConnectionNetworkData
| summarize
BWP90=percentile(EstAvailableBandwidthKBps,90),BWP50=percentile(EstAvailable
BandwidthKBps,50),BWP10=percentile(EstAvailableBandwidthKBps,10) by
bin(TimeGenerated,10m)
| render timechart

To look up the round-trip time and bandwidth per connection:

Kusto

// RTT and BW Per Connection Summary

// Returns P90 Round Trip Time (ms) and Bandwidth (KBps) per connection with
connection details.
WVDConnectionNetworkData
| summarize
RTTP90=percentile(EstRoundTripTimeInMs,90),BWP90=percentile(EstAvailableBand
widthKBps,90),StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by
CorrelationId
| join kind=leftouter (
WVDConnections
| extend Protocol = iff(UdpUse in ("0","<>"),"TCP","UDP")
| distinct CorrelationId, SessionHostName, Protocol, ClientOS, ClientType,
ClientVersion, ConnectionType, ResourceAlias, SessionHostSxSStackVersion,
UserName
) on CorrelationId
| project CorrelationId, StartTime, EndTime, UserName, SessionHostName,
RTTP90, BWP90, Protocol, ClientOS, ClientType, ClientVersion,
ConnectionType, ResourceAlias, SessionHostSxSStackVersion

Query data for a specific user

To look up the bandwidth for a specific user:

Kusto

let user = "alias@domain";

WVDConnectionNetworkData
| join kind=leftouter (
WVDConnections
| distinct CorrelationId, UserName
 ) on CorrelationId
| where UserName == user
| project EstAvailableBandwidthKBps, TimeGenerated
| render columnchart

To look up the round trip time for a specific user:

Kusto

let user = "alias@domain";

WVDConnectionNetworkData
| join kind=leftouter (
WVDConnections
| distinct CorrelationId, UserName
) on CorrelationId
| where UserName == user
| project EstRoundTripTimeInMs, TimeGenerated
| render columnchart

To look up the top 10 users with the highest round trip time:

Kusto

WVDConnectionNetworkData
| join kind=leftouter (
WVDConnections
| distinct CorrelationId, UserName
) on CorrelationId
| summarize
AvgRTT=avg(EstRoundTripTimeInMs),RTT_P95=percentile(EstRoundTripTimeInMs,95)
by UserName
| top 10 by AvgRTT desc

To look up the 10 users with the lowest bandwidth:

Kusto

WVDConnectionNetworkData
| join kind=leftouter (
WVDConnections
| distinct CorrelationId, UserName
) on CorrelationId
| summarize
AvgBW=avg(EstAvailableBandwidthKBps),BW_P95=percentile(EstAvailableBandwidth
KBps,95) by UserName
| top 10 by AvgBW asc
Next steps
Learn more about connection quality at Connection quality in Azure Virtual Desktop.
Send diagnostic data to Log Analytics
for Azure Virtual Desktop
Article • 04/09/2024

） Important

This content applies to Azure Virtual Desktop with Azure Resource Manager Azure
Virtual Desktop objects. If you're using Azure Virtual Desktop (classic) without
Azure Resource Manager objects, see this article.

Azure Virtual Desktop uses Azure Monitor for monitoring and alerts like many other
Azure services. This lets admins identify issues through a single interface. The service
creates activity logs for both user and administrative actions. Each activity log falls under
the following categories:

ﾉ Expand table

Category Description

Management Activities Whether attempts to change Azure Virtual Desktop objects using
APIs or PowerShell are successful.

Feed Whether users can successfully subscribe to workspaces.

Connections When users initiate and complete connections to the service.

Host registration Whether a session host successfully registered with the service upon
connecting.

Errors Where users encounter issues with specific activities.

Checkpoints Specific steps in the lifetime of an activity that were reached.

Agent Health Status Monitor the health and status of the Azure Virtual Desktop agent
installed on each session host.

Network The average network data for user sessions to monitor for details
including the estimated round trip time.

Connection Graphics Performance data from the Azure Virtual Desktop graphics stream.

Session Host Management activity of session hosts.

Management Activity

Autoscale Scaling operations.

Connections that don't reach Azure Virtual Desktop won't show up in diagnostics results
because the diagnostics role service itself is part of Azure Virtual Desktop. Azure Virtual
Desktop connection issues can happen when the user is experiencing network
connectivity issues.

Azure Monitor lets you analyze Azure Virtual Desktop data and review virtual machine
(VM) performance counters, all within the same tool. This article will tell you more about
how to enable diagnostics for your Azure Virtual Desktop environment.

７ Note

To learn how to monitor your VMs in Azure, see Monitoring Azure virtual
machines with Azure Monitor. Also, make sure to review the Azure Virtual
Desktop Insights glossary for a better understanding of your user experience on
the session host.

Prerequisites
Before you can use Azure Virtual Desktop with Log Analytics, you need:

A Log Analytics workspace. For more information, see Create a Log Analytics
workspace in Azure portal or Create a Log Analytics workspace with PowerShell.
After you've created your workspace, follow the instructions in Connect Windows
computers to Azure Monitor to get the following information:
The workspace ID
The primary key of your workspace

You'll need this information later in the setup process.

Access to specific URLs from your session hosts for diagnostics to work. For more
information, see Required URLs for Azure Virtual Desktop where you'll see entries
for Diagnostic output.

Make sure to review permission management for Azure Monitor to enable data
access for those who monitor and maintain your Azure Virtual Desktop
environment. For more information, see Get started with roles, permissions, and
security with Azure Monitor.

Push diagnostics data to your workspace

You can push diagnostics data from your Azure Virtual Desktop objects into the Log
Analytics for your workspace. You can set up this feature right away when you first
create your objects.

To set up Log Analytics for a new object:

1. Sign in to the Azure portal and go to Azure Virtual Desktop.

2. Navigate to the object (such as a host pool, application group, or workspace) that
you want to capture logs and events for.

3. Select Diagnostic settings in the menu on the left side of the screen.

4. Select Add diagnostic setting in the menu that appears on the right side of the
screen.

The options shown in the Diagnostic Settings page will vary depending on what
kind of object you're editing.

For example, when you're enabling diagnostics for an application group, you'll see
options to configure checkpoints, errors, and management. For workspaces, these
categories configure a feed to track when users subscribe to the list of apps. To
learn more about diagnostic settings see Create diagnostic setting to collect
resource logs and metrics in Azure.

） Important

Remember to enable diagnostics for each Azure Resource Manager object

that you want to monitor. Data will be available for activities after diagnostics
has been enabled. It might take a few hours after first set-up.

5. Enter a name for your settings configuration, then select Send to Log Analytics.
The name you use shouldn't have spaces and should conform to Azure naming
conventions. As part of the logs, you can select all the options that you want
added to your Log Analytics, such as Checkpoint, Error, Management, and so on.

6. Select Save.

７ Note

Log Analytics gives you the option to stream data to Event Hubs or archive it in a
storage account. To learn more about this feature, see Stream Azure monitoring
data to an event hub and Archive Azure resource logs to storage account.
How to access Log Analytics
You can access Log Analytics workspaces on the Azure portal or Azure Monitor.

Access Log Analytics on a Log Analytics workspace

1. Sign in to the Azure portal.

2. Search for Log Analytics workspace.

3. Under Services, select Log Analytics workspaces.

4. From the list, select the workspace you configured for your Azure Virtual Desktop
object.

5. Once in your workspace, select Logs. You can filter out your menu list with the
Search function.

Access Log Analytics on Azure Monitor

1. Sign in to the Azure portal.

2. Search for and select Monitor.

3. Select Logs.

4. Follow the instructions in the logging page to set the scope of your query.

5. You are ready to query diagnostics. All diagnostics tables have a "WVD" prefix.

７ Note

For more detailed information about the tables stored in Azure Monitor Logs, see
the Azure Monitor data reference. All tables related to Azure Virtual Desktop are
prefixed with "WVD."

Cadence for sending diagnostic events

Diagnostic events are sent to Log Analytics when completed.

Log Analytics only reports in these intermediate states for connection activities:
 Started: when a user selects and connects to an app or desktop in the Remote
Desktop client.
Connected: when the user successfully connects to the VM where the app or
desktop is hosted.
Completed: when the user or server disconnects the session the activity took place
in.

Example queries
Access example queries through the Azure Monitor Log Analytics UI:

1. Go to your Log Analytics workspace, and then select Logs. The example query UI is
shown automatically.
2. Change the filter to Category.
3. Select Azure Virtual Desktop to review available queries.
4. Select Run to run the selected query.

Learn more about the sample query interface in Saved queries in Azure Monitor Log
Analytics.

The following query list lets you review connection information or issues for a single
user. You can run these queries in the Log Analytics query editor. For each query, replace
userupn with the UPN of the user you want to look up.

To find all connections for a single user:

Kusto

WVDConnections
|where UserName == "userupn"
|take 100
|sort by TimeGenerated asc, CorrelationId

To find the number of times a user connected per day:

Kusto

WVDConnections
|where UserName == "userupn"
|take 100
|sort by TimeGenerated asc, CorrelationId
|summarize dcount(CorrelationId) by bin(TimeGenerated, 1d)

To find session duration by user:

 Kusto

let Events = WVDConnections | where UserName == "userupn" ;

Events
| where State == "Connected"
| project CorrelationId , UserName, ResourceAlias , StartTime=TimeGenerated
| join (Events
| where State == "Completed"
| project EndTime=TimeGenerated, CorrelationId)
on CorrelationId
| project Duration = EndTime - StartTime, ResourceAlias
| sort by Duration asc

To find errors for a specific user:

Kusto

WVDErrors
| where UserName == "userupn"
|take 100

To find out whether a specific error occurred for other users:

Kusto

WVDErrors
| where CodeSymbolic =="ErrorSymbolicCode"
| summarize count(UserName) by CodeSymbolic

７ Note

When a user launches a full desktop session, their app usage in the session
isn't tracked as checkpoints in the WVDCheckpoints table.
The ResourcesAlias column in the WVDConnections table shows whether a
user has connected to a full desktop or a published app. The column only
shows the first app they open during the connection. Any published apps the
user opens are tracked in WVDCheckpoints .
The WVDErrors table shows you management errors, host registration issues,
and other issues that happen while the user subscribes to a list of apps or
desktops.
The WVDErrors table also helps you to identify issues that can be resolved by
admin tasks. The value on ServiceError should always equal false for these
 types of issues. If ServiceError equals true , you'll need to escalate the issue
to Microsoft. Ensure you provide the CorrelationID for errors you escalate.
When debugging connectivity issues, in some cases client information might
be missing even if the connection events completes. This applies to the
WVDConnections and WVDCheckpoints tables.

Next steps
Enable Insights to monitor Azure Virtual Desktop.
To review common error scenarios that the diagnostics feature can identify for you,
see Identify and diagnose issues.
Session host statuses and health checks
in Azure Virtual Desktop
Article • 03/05/2024

The Azure Virtual Desktop Agent regularly runs health checks on the session host. The
agent assigns these health checks various statuses that include descriptions of how to
fix common issues. This article tells you what each status means and how to act on them
during a health check.

Session host statuses

The following table lists all statuses for session hosts in the Azure portal each potential
status. Available is considered the ideal default status. Any other statuses represent
potential issues that you need to take care of to ensure the service works properly.

７ Note

If an issue is listed as non-fatal, the service can still run with the issue active.
However, we recommend you resolve the issue as soon as possible to prevent
future issues. If an issue is listed as fatal, it prevents the service from running. You
must resolve all fatal issues to make sure your users can access the session host.

ﾉ Expand table

Session Description Load How to resolve related

host status balancing issues

Available This status means that the session New user N/A
host passed all health checks and sessions are
is available to accept user load
connections. If a session host has balanced
reached its maximum session limit here.
but has passed health checks, it's
still listed as “Available."

Needs The session host didn't pass one or New user Follow the directions in Error:
Assistance more of the following non-fatal sessions are Session hosts are stuck in
health checks: the Geneva load "Needs Assistance" state to
Monitoring Agent health check, balanced resolve the issue.
the Azure Instance Metadata here.
Service (IMDS) health check, or the
URL health check. In this state,
Session Description Load How to resolve related
host status balancing issues

users can connect to VMs, but their

user experience may degrade. You
can find which health checks failed
in the Azure portal by going to the
Session hosts tab and selecting
the name of your session host.

Shutdown The session host has been shut Not Turn on the session host.
down. If the agent enters a available
shutdown state before connecting for load
to the broker, its status changes to balancing.
Unavailable. If you've shut down
your session host and see an
Unavailable status, that means the
session host shut down before it
could update the status, and
doesn't indicate an issue. You
should use this status with the VM
instance view API to determine the
power state of the VM.

Unavailable The session host is either turned
off or hasn't passed fatal health
checks, which prevents user
sessions from connecting to this
session host.
Not If the session host is off, turn it
available back on. If the session host
for load didn't pass the domain join
balancing. check or side-by-side stack
listener health checks, refer to
the table in Health check for
ways to resolve the issue. If
the status is still "Unavailable"
after following those
directions, open a support
case.

Upgrade This status means that the Azure New user Follow the instructions in the
Failed Virtual Desktop Agent couldn't sessions are Azure Virtual Desktop Agent
update or upgrade. This status load troubleshooting article.
doesn't affect new nor existing balanced
user sessions. here.

Upgrading This status means that the agent New user If your session host is stuck in
upgrade is in progress. This status sessions are the "Upgrading" state, then
updates to “Available” once the load reinstall the agent.
upgrade is done and the session balanced
host can accept connections again. here.

Health check
The health check is a test run by the agent on the session host. The following table lists
each type of health check and describes what it does.

ﾉ Expand table

Health check Description What happens if the session host doesn't

name pass the check

Domain Verifies that the session host is If this check fails, users won't be able to
joined joined to a domain controller. connect to the session host. To solve this
issue, join your session host to a domain.

Geneva Verifies that the session host has a
Monitoring healthy monitoring agent by
Agent checking if the monitoring agent
is installed and running in the
expected registry location.
If this check fails, it's semi-fatal. There may
be successful connections, but they'll
contain no logging information. To resolve
this issue, make sure a monitoring agent is
installed. If it's already installed, contact
Microsoft support.

Side-by-side Verifies that the side-by-side stack If this check fails, it's fatal, and users won't
(SxS) Stack is up and running, listening, and be able to connect to the session host. Try
Listener ready to receive connections. restarting your virtual machine (VM). If
restarting doesn't work, contact Microsoft
support.

App attach Verifies that the app attach or If this check fails, it isn't fatal. However,
health check MSIX app attach service is certain apps stop working for end-users.
working as intended during
package staging or destaging.

Domain trust Verifies the session host isn't
check experiencing domain trust issues
that could prevent authentication
when a user connects to a
session.
If this check fails, it's fatal. The service won't
be able to connect if it can't reach the
authentication domain for the session host.

Metadata Verifies the metadata service is If this check fails, it isn't fatal.
service check accessible and returns compute
properties.

Next steps
For an overview on troubleshooting Azure Virtual Desktop and the escalation
tracks, see Troubleshooting overview, feedback, and support.
To troubleshoot issues while creating an Azure Virtual Desktop environment and
host pool in an Azure Virtual Desktop environment, see Environment and host pool
creation.
 To troubleshoot issues while configuring a virtual machine (VM) in Azure Virtual
Desktop, see Session host virtual machine configuration.
To troubleshoot issues related to the Azure Virtual Desktop agent or session
connectivity, see Troubleshoot common Azure Virtual Desktop Agent issues.
To troubleshoot issues when using PowerShell with Azure Virtual Desktop, see
Azure Virtual Desktop PowerShell.
To go through a troubleshoot tutorial, see Tutorial: Troubleshoot Resource
Manager template deployments.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Set up diagnostics to monitor agent
updates
Article • 03/20/2023

Diagnostic logs can tell you which agent version is installed for an update, when it was
installed, and if the update was successful. If an update is unsuccessful, it might be
because the session host was turned off during the update. If that happened, you
should turn the session host back on.

This article describes how to use diagnostic logs in a Log Analytics workspace to
monitor agent updates.

Enable sending diagnostic logs to your Log

Analytics workspace
To enable sending diagnostic logs to your Log Analytics workspace:

1. Create a Log Analytics workspace, if you haven't already. Next, get the workspace
ID and primary key by following the instructions in Use Log Analytics for the
diagnostics feature.

2. Send diagnostics to the Log Analytics workspace you created by following the
instructions in Push diagnostics data to your workspace.

3. Follow the directions in How to access Log Analytics to access the logs in your
workspace.

７ Note

The log query results only cover the last 30 days of data in your deployment.

Use diagnostics to see when an update

becomes available
To see when agent component updates are available:

1. Access the logs in your Log Analytics workspace.

2. Select the + button to create a new query.

 3. Copy and paste the following Kusto query to see if agent component updates are
available for the specified session host. Make sure to change the
sessionHostName parameter to the name of your session host.

７ Note

If you haven't enabled the Scheduled Agent Updates feature, you won't see
anything in the NewPackagesAvailable field.

Kusto

WVDAgentHealthStatus
| where TimeGenerated >= ago(30d)
| where SessionHostName == "sessionHostName"
| project TimeGenerated, AgentVersion, SessionHostName,
LastUpgradeTimeStamp, UpgradeState, UpgradeErrorMsg
| sort by TimeGenerated desc
| take 1

Use diagnostics to see when agent updates are

happening
To see when agent updates are happening or to make sure that the Scheduled Agent
Updates feature is working:

1. Access the logs in your Log Analytics workspace.

2. Select the + button to create a new query.

3. Copy and paste the following Kusto query to see when the agent has updated for
the specified session host. Make sure to change the sessionHostName parameter
to the name of your session host.

Kusto

WVDAgentHealthStatus
| where TimeGenerated >= ago(30d)
| where SessionHostName == "sessionHostName"
| project TimeGenerated, AgentVersion, SessionHostName,
LastUpgradeTimeStamp, UpgradeState, UpgradeErrorMsg
| summarize arg_min(TimeGenerated, *) by AgentVersion
| sort by TimeGenerated asc
Next steps
For more information about Scheduled Agent Updates and the agent components,
check out the following articles:

To learn how to schedule agent updates, see Scheduled Agent Updates.

For more information about the Azure Virtual Desktop agent, side-by-side stack,
and Geneva Monitoring agent, see Getting Started with the Azure Virtual Desktop
Agent.
Learn more about the latest and previous agent versions at What's new in the
Azure Virtual Desktop agent.
If you're experiencing agent or connectivity-related issues, see the Azure Virtual
Desktop Agent issues troubleshooting guide.
Set up service alerts
Article • 03/03/2023

） Important

This content applies to Azure Virtual Desktop with Azure Resource Manager Azure
Virtual Desktop objects. If you're using Azure Virtual Desktop (classic) without
Azure Resource Manager objects, see this article.

You can use Azure Service Health to monitor service issues and health advisories for
Azure Virtual Desktop. Azure Service Health can notify you with different types of alerts
(for example, email or SMS), help you understand the effect of an issue, and keep you
updated as the issue resolves. Azure Service Health can also help you mitigate
downtime and prepare for planned maintenance and changes that could affect the
availability of your resources.

To learn more about Azure Service Health, see the Azure Health Documentation.

Create service alerts

This section shows you how to configure Azure Service Health and how to set up
notifications, which you can access on the Azure portal. You can set up different types of
alerts and schedule them to notify you in a timely manner.

Recommended service alerts

We recommend you create service alerts for the following health event types:

Service issue: Receive notifications on major issues that impact connectivity of

your users with the service or with the ability to manage Azure Virtual Desktop.
Health advisory: Receive notifications that require your attention. The following
are some examples of this type of notification:
Virtual Machines (VMs) not securely configured as open port 3389
Deprecation of functionality

Configure service alerts

To configure service alerts:

1. Sign in to the Azure portal .

 2. Select Service Health.
3. Follow the instructions in Create activity log alerts on service notifications to set up
your alerts and notifications.

Next steps
Learn how to configure Azure Virtual Desktop Insights.
How to resolve Azure Advisor
recommendations
Article • 06/08/2021

This article describes how you can resolve recommendations that appear in Azure
Advisor for Azure Virtual Desktop.

“No validation environment enabled”

This recommendation appears under Operational Excellence. The recommendation

should also show you a warning message like this:

"You don't have a validation environment enabled in this subscription. When you made
your host pools, you selected No for "Validation environment" in the Properties tab. To
ensure business continuity through Azure Virtual Desktop service deployments, make
sure you have at least one host pool with a validation environment where you can test
for potential issues.”

You can make this warning message go away by enabling a validation environment in
one of your host pools.
To enable a validation environment:

1. Go to your Azure portal home page and select the host pool you want to change.

2. Next, select the host pool you want to change from a production environment to a
validation environment.

3. In your host pool, select Properties on the left column. Next, scroll down until you
see “Validation environment.” Select Yes, then select Apply.

These changes won't make the warning go away immediately, but it should disappear
eventually. Azure Advisor updates twice a day. Until then, you can postpone or dismiss
the recommendation manually. We recommend you let the recommendation go away
on its own. That way, Azure Advisor can let you know if it comes across any problems as
the settings change.

“Not enough production (non-validation)

environments enabled”
This recommendation appears under Operational Excellence.

For this recommendation, the warning message appears for one of these reasons:

You have too many host pools in your validation environment.

You don't have any production host pools.

We recommend users have fewer than half of their host pools in a validation
environment.
To resolve this warning:

1. Go to your Azure portal home page.

2. Select the host pools you want either want to change from validation to
production.

3. In your host pool, select the Properties tab in the column on the right side of the
screen. Next, scroll down until you see “Validation environment.” Select No, then
select Apply.

These changes won't make the warning go away immediately, but it should disappear
eventually. Azure Advisor updates twice a day. Until then, you can postpone or dismiss
the recommendation manually. We recommend you let the recommendation go away
on its own. That way, Azure Advisor can let you know if it comes across any problems as
the settings change.

“Not enough links are unblocked to

successfully implement your VM”
This recommendation appears under Operational Excellence.

You need to unblock specific URLs to make sure that your virtual machine (VM)
functions properly. You can see the list at Safe URL list. If the URLs aren't unblocked,
then your VM won't work properly.
To solve this recommendation, make sure you unblock all the URLs on the Safe URL list.
You can use Service Tag or FQDN tags to unblock URLs, too.

Next steps
If you're looking for more in-depth guides about how to resolve common issues, check
out Troubleshooting overview, feedback, and support for Azure Virtual Desktop.
Troubleshooting overview, feedback,
and support for Azure Virtual Desktop
Article • 04/14/2023

） Important

This content applies to Azure Virtual Desktop with Azure Resource Manager Azure
Virtual Desktop objects. If you're using Azure Virtual Desktop (classic) without
Azure Resource Manager objects, see this article.

This article provides an overview of the issues you may encounter when setting up an
Azure Virtual Desktop environment and provides ways to resolve the issues.

Troubleshoot deployment and connection

issues
Azure Virtual Desktop Insights is a dashboard built on Azure Monitor workbooks that
can quickly troubleshoot and identify issues in your Azure Virtual Desktop environment
for you. If you prefer working with Kusto queries, we recommend using the built-in
diagnostic feature, Log Analytics, instead.

Report issues
To report issues or suggest features for Azure Virtual Desktop with Azure Resource
Manager integration, visit the Azure Virtual Desktop Tech Community . You can use the
Tech Community to discuss best practices or suggest and vote for new features.

When you make a post asking for help or propose a new feature, make sure you
describe your topic in as much detail as possible. Detailed information can help other
users answer your question or understand the feature you're proposing a vote for.

Escalation tracks
Before doing anything else, make sure to check the Azure status page and Azure
Service Health to make sure your Azure service is running properly.
Use the following table to identify and resolve issues you may encounter when setting
up an environment using Remote Desktop client. Once your environment's set up, you
can use our new Diagnostics service to identify issues for common scenarios.

Issue Suggested Solution

Session host pool Azure Open an Azure support request , then select the appropriate service
Virtual Network (VNET) (under the Networking category).
and Express Route
settings

Session host pool Virtual Open an Azure support request , then select Azure Virtual Desktop
Machine (VM) creation for the service.
when Azure Resource
Manager templates For issues with the Azure Resource Manager templates that are
provided with Azure provided with Azure Virtual Desktop, see Azure Resource Manager
Virtual Desktop aren't template errors section of Host pool creation.
being used

Managing Azure Virtual Open an Azure support request .

Desktop session host
environment from the For management issues when using Remote Desktop Services/Azure
Azure portal Virtual Desktop PowerShell, see Azure Virtual Desktop PowerShell or
open an Azure support request , select Azure Virtual Desktop for
the service, select Configuration and management for the problem
type, then select Issues configuring environment using PowerShell
for the problem subtype.

Managing Azure Virtual See Azure Virtual Desktop PowerShell, or open an Azure support
Desktop configuration request , select Azure Virtual Desktop for the service, then select
tied to host pools and the appropriate problem type.
application groups (app
groups)

Deploying and manage See Troubleshooting guide for FSLogix products and if that doesn't
FSLogix Profile Containers resolve the issue, Open an Azure support request , select Azure
Virtual Desktop for the service, select FSLogix for the problem type,
then select the appropriate problem subtype.

Remote desktop clients See Troubleshoot the Remote Desktop client and if that doesn't
malfunction on start resolve the issue, Open an Azure support request , select Azure
Virtual Desktop for the service, then select Remote Desktop clients
for the problem type.

If it's a network issue, your users need to contact their network

administrator.
Issue Suggested Solution

Connected but no feed Troubleshoot using the User connects but nothing is displayed (no
feed) section of Azure Virtual Desktop service connections.

If your users have been assigned to an application group, open an

Azure support request , select Azure Virtual Desktop for the
service, then select Remote Desktop Clients for the problem type.

Feed discovery problems Your users need to contact their network administrator.
due to the network

Connecting clients See Azure Virtual Desktop service connections and if that doesn't
solve your issue, see Session host virtual machine configuration.

Responsiveness of remote If issues are tied to a specific application or product, contact the
applications or desktop team responsible for that product.

Licensing messages or If issues are tied to a specific application or product, contact the
errors team responsible for that product.

Issues with third-party Verify that your third-party provider supports Azure Virtual Desktop
authentication methods scenarios and approach them regarding any known issues.
or tools

Issues using Log Analytics For issues with the diagnostics schema, open an Azure support
for Azure Virtual Desktop request .

For queries, visualization, or other issues in Log Analytics, select the

appropriate problem type under Log Analytics.

Issues using Microsoft Contact the Microsoft 365 admin center with one of the Microsoft
365 apps 365 admin center help options.

Next steps
To troubleshoot issues while creating a host pool in an Azure Virtual Desktop
environment, see host pool creation.
To troubleshoot issues while configuring a virtual machine (VM) in Azure Virtual
Desktop, see Session host virtual machine configuration.
To troubleshoot issues related to the Azure Virtual Desktop agent or session
connectivity, see Troubleshoot common Azure Virtual Desktop Agent issues.
To troubleshoot issues with Azure Virtual Desktop client connections, see Azure
Virtual Desktop service connections.
To troubleshoot issues with Remote Desktop clients, see Troubleshoot the Remote
Desktop client
To troubleshoot issues when using PowerShell with Azure Virtual Desktop, see
Azure Virtual Desktop PowerShell.
To learn more about the service, see Azure Virtual Desktop environment.
To go through a troubleshoot tutorial, see Tutorial: Troubleshoot Resource
Manager template deployments.
To learn about auditing actions, see Audit operations with Resource Manager.
To learn about actions to determine errors during deployment, see View
deployment operations.
Host pool creation
Article • 03/31/2023

） Important

This content applies to Azure Virtual Desktop with Azure Resource Manager Azure
Virtual Desktop objects. If you're using Azure Virtual Desktop (classic) without
Azure Resource Manager objects, see this article.

This article covers issues during the initial setup of the Azure Virtual Desktop tenant and
the related session host pool infrastructure.

Provide feedback
Visit the Azure Virtual Desktop Tech Community to discuss the Azure Virtual Desktop
service with the product team and active community members.

Acquiring the Windows 10 Enterprise multi-

session image
To use the Windows 10 Enterprise multi-session image, go to the Azure Marketplace,
select Get Started > Microsoft Windows 10 > and Windows 10 Enterprise multi-session,
Version 1809 .

Issues with using the Azure portal to create

host pools

Error: "Create a free account" appears when accessing the

service
Cause: There aren't active subscriptions in the account you signed in to Azure with, or
the account doesn't have permissions to view the subscriptions.

Fix: Sign in to the subscription where you'll deploy the session host virtual machines
(VMs) with an account that has at least contributor-level access.

Error: "Exceeding quota limit"

If your operation goes over the quota limit, you can do one of the following things:

Create a new host pool with the same parameters but fewer VMs and VM cores.

Open the link you see in the statusMessage field in a browser to submit a request
to increase the quota for your Azure subscription for the specified VM SKU.

Error: Can't see user assignments in application groups.

Cause: This error usually happens after you've moved the subscription from one Azure
Active Directory tenant to another. If your old assignments are still tied to the previous
Azure Active Directory tenant, the Azure portal will lose track of them.

Fix: You'll need to reassign users to application groups.

I don't see the Azure region I want to use when selecting

the location for my service objects
Cause: Azure doesn't currently support that region for the Azure Virtual Desktop service.
To learn about which geographies we support, check out Data locations. If Azure Virtual
Desktop supports the location but it still doesn't appear when you're trying to select a
location, that means your resource provider hasn't updated yet.

Fix: To get the latest list of regions, re-register the resource provider:

1. Go to Subscriptions and select the relevant subscription.

2. Select Resource Provider.
3. Select Microsoft.DesktopVirtualization, then select Re-register from the action
menu.

When you re-register the resource provider, you won't see any specific UI feedback or
update statuses. The re-registration process also won't interfere with your existing
environments.

Azure Resource Manager template errors

Follow these instructions to troubleshoot unsuccessful deployments of Azure Resource
Manager templates and PowerShell DSC.

1. Review errors in the deployment using View deployment operations with Azure
Resource Manager.
2. If there are no errors in the deployment, review errors in the activity log using View
activity logs to audit actions on resources.
3. Once the error is identified, use the error message and the resources in
Troubleshoot common Azure deployment errors with Azure Resource Manager to
address the issue.
4. Delete any resources created during the previous deployment and retry deploying
the template again.

Error: Your deployment failed….<hostname>/joindomain

Example of raw error:

Error

{"code":"DeploymentFailed","message":"At least one resource deployment

operation failed. Please list deployment operations for details.
Please see https://aka.ms/arm-debug for usage details.","details":
[{"code":"Conflict","message":"{\r\n \"status\": \"Failed\",\r\n \"error\":
{\r\n \"code\": \"ResourceDeploymentFailure\",\r\n \"message\": \"The
resource operation completed with terminal provisioning state 'Failed'.
\",\r\n \"details\": [\r\n {\r\n \"code\":
\"VMExtensionProvisioningError\",\r\n \"message\": \"VM has reported a
failure when processing
extension 'joindomain'. Error message: \\\"Exception(s) occurred while
joining Domain 'diamondsg.onmicrosoft.com'\\\".\"\r\n }\r\n ]\r\n }\r\n}"}]}

Cause 1: Credentials provided for joining VMs to the domain are incorrect.

Fix 1: See the "Incorrect credentials" error for VMs are not joined to the domain in
Session host VM configuration.

Cause 2: Domain name doesn't resolve.

Fix 2: See Error: Domain name doesn't resolve in Session host VM configuration.

Cause 3: Your virtual network (VNET) DNS configuration is set to Default.

To fix this, do the following things:

1. Open the Azure portal and go to the Virtual networks tab.

2. Find your VNET, then select DNS servers.
3. The DNS servers menu should appear on the right side of your screen. On that
menu, select Custom.
4. Make sure the DNS servers listed under Custom match your domain controller or
Active Directory domain. If you don't see your DNS server, you can add it by
entering its value into the Add DNS server field.

Error: Your deployment failed...\Unauthorized

Error

{"code":"DeploymentFailed","message":"At least one resource deployment

operation failed. Please list deployment operations for details. Please see
https://aka.ms/arm-debug for usage details.","details":
[{"code":"Unauthorized","message":"{\r\n \"Code\": \"Unauthorized\",\r\n
\"Message\": \"The scale operation is not allowed for this subscription in
this region. Try selecting different region or scale option.\",\r\n
\"Target\": null,\r\n \"Details\": [\r\n {\r\n \"Message\": \"The scale
 operation is not allowed for this subscription in this region. Try selecting
different region or scale option.\"\r\n },\r\n {\r\n \"Code\":
\"Unauthorized\"\r\n },\r\n {\r\n \"ErrorEntity\": {\r\n \"ExtendedCode\":
\"52020\",\r\n \"MessageTemplate\": \"The scale operation is not allowed for
this subscription in this region. Try selecting different region or scale
option.\",\r\n \"Parameters\": [\r\n \"default\"\r\n ],\r\n \"Code\":
\"Unauthorized\",\r\n \"Message\": \"The scale operation is not allowed for
this subscription in this region. Try selecting different region or scale
option.\"\r\n }\r\n }\r\n ],\r\n \"Innererror\": null\r\n}"}]}

Cause: The subscription you're using is a type that can't access required features in the
region where the customer is trying to deploy. For example, MSDN, Free, or Education
subscriptions can show this error.

Fix: Change your subscription type or region to one that can access the required
features.

Error: VMExtensionProvisioningError

Cause 1: Transient error with the Azure Virtual Desktop environment.

Cause 2: Transient error with connection.

Fix: Confirm Azure Virtual Desktop environment is healthy by signing in using

PowerShell. Finish the VM registration manually in Create a host pool with PowerShell.

Error: The Admin Username specified isn't allowed

Example of raw error:

Error

{ …{ "provisioningOperation":
"Create", "provisioningState": "Failed", "timestamp": "2019-01-
29T20:53:18.904917Z", "duration": "PT3.0574505S", "trackingId":
"1f460af8-34dd-4c03-9359-9ab249a1a005", "statusCode": "BadRequest",
"statusMessage": { "error": { "code": "InvalidParameter", "message":
"The Admin Username specified is not allowed.", "target": "adminUsername" }
… }

Cause: Password provided contains forbidden substrings (admin, administrator, root).

Fix: Update username or use different users.

Error: VM has reported a failure when processing

extension
Example of raw error:

Error

{ … "code": "ResourceDeploymentFailure", "message":

"The resource operation completed with terminal provisioning state
'Failed'.", "details": [ { "code":
"VMExtensionProvisioningError", "message": "VM has reported a failure when
processing extension 'dscextension'.
Error message: \"DSC Configuration 'SessionHost' completed with error(s).
Following are the first few:
PowerShell DSC resource MSFT_ScriptResource failed to execute Set-
TargetResource functionality with error message:
One or more errors occurred. The SendConfigurationApply function did not
succeed.\"." } ] … }

Cause: PowerShell DSC extension was not able to get admin access on the VM.

Fix: Confirm username and password have administrative access on the virtual machine
and run the Azure Resource Manager template again.

Error: DeploymentFailed – PowerShell DSC Configuration

'FirstSessionHost' completed with Error(s)
Example of raw error:

Error

{
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please
list
deployment operations for details. 4 Please see https://aka.ms/arm-debug
for usage details.",
"details": [
{ "code": "Conflict",
"message": "{\r\n \"status\": \"Failed\",\r\n \"error\": {\r\n
\"code\":
\"ResourceDeploymentFailure\",\r\n \"message\": \"The resource
operation completed with terminal provisioning state
'Failed'.\",\r\n
\"details\": [\r\n {\r\n \"code\":
\"VMExtensionProvisioningError\",\r\n \"message\": \"VM has
reported a failure when processing extension 'dscextension'.
Error message: \\\"DSC Configuration 'FirstSessionHost'
completed with error(s). Following are the first few:
PowerShell DSC resource MSFT ScriptResource failed to
execute Set-TargetResource functionality with error message:
One or more errors occurred. The SendConfigurationApply
function did not succeed.\\\".\"\r\n }\r\n ]\r\n }\r\n}" }

Cause: PowerShell DSC extension was not able to get admin access on the VM.

Fix: Confirm username and password provided have administrative access on the virtual
machine and run the Azure Resource Manager template again.

Error: DeploymentFailed – InvalidResourceReference

Example of raw error:

Error
 {"code":"DeploymentFailed","message":"At least one resource deployment
operation
failed. Please list deployment operations for details. Please see
https://aka.ms/arm-
debug for usage details.","details":[{"code":"Conflict","message":"{\r\n
\"status\":
\"Failed\",\r\n \"error\": {\r\n \"code\":
\"ResourceDeploymentFailure\",\r\n
\"message\": \"The resource operation completed with terminal provisioning
state
'Failed'.\",\r\n \"details\": [\r\n {\r\n \"code\":
\"DeploymentFailed\",\r\n
\"message\": \"At least one resource deployment operation failed. Please
list
deployment operations for details. Please see https://aka.ms/arm-debug for
usage
details.\",\r\n \"details\": [\r\n {\r\n \"code\": \"BadRequest\",\r\n
\"message\":
\"{\\r\\n \\\"error\\\": {\\r\\n \\\"code\\\":
\\\"InvalidResourceReference\\\",\\r\\n
\\\"message\\\": \\\"Resource /subscriptions/EXAMPLE/resourceGroups/ernani-
wvd-
demo/providers/Microsoft.Network/virtualNetworks/wvd-vnet/subnets/default
referenced by resource /subscriptions/EXAMPLE/resourceGroups/ernani-wvd-
demo/providers/Microsoft.Network/networkInterfaces/erd. Please make sure
that
the referenced resource exists, and that both resources are in the same
region.\\\",\\r\\n\\\"details\\\": []\\r\\n }\\r\\n}\"\r\n }\r\n ]\r\n }\r\n
]\r\n }\r\n}"}]}

Cause: Part of the resource group name is used for certain resources being created by
the template. Due to the name matching existing resources, the template may select an
existing resource from a different group.

Fix: When running the Azure Resource Manager template to deploy session host VMs,
make the first two characters unique for your subscription resource group name.

Error: DeploymentFailed – InvalidResourceReference

Example of raw error:

Error

{"code":"DeploymentFailed","message":"At least one resource deployment

operation
failed. Please list deployment operations for details. Please see
https://aka.ms/arm-
debug for usage details.","details":[{"code":"Conflict","message":"{\r\n
\"status\":
\"Failed\",\r\n \"error\": {\r\n \"code\":
 \"ResourceDeploymentFailure\",\r\n
\"message\": \"The resource operation completed with terminal provisioning
state
'Failed'.\",\r\n \"details\": [\r\n {\r\n \"code\":
\"DeploymentFailed\",\r\n
\"message\": \"At least one resource deployment operation failed. Please
list
deployment operations for details. Please see https://aka.ms/arm-debug for
usage
details.\",\r\n \"details\": [\r\n {\r\n \"code\": \"BadRequest\",\r\n
\"message\":
\"{\\r\\n \\\"error\\\": {\\r\\n \\\"code\\\":
\\\"InvalidResourceReference\\\",\\r\\n
\\\"message\\\": \\\"Resource /subscriptions/EXAMPLE/resourceGroups/ernani-
wvd-
demo/providers/Microsoft.Network/virtualNetworks/wvd-vnet/subnets/default
referenced by resource
/subscriptions/EXAMPLE/resourceGroups/DEMO/providers/Microsoft.Network/netwo
rkInterfaces
/EXAMPLE was not found. Please make sure that the referenced resource
exists, and that both
resources are in the same region.\\\",\\r\\n \\\"details\\\": []\\r\\n
}\\r\\n}\"\r\n
}\r\n ]\r\n }\r\n ]\r\n }\r\n\

Cause: This error is because the NIC created with the Azure Resource Manager template
has the same name as another NIC already in the VNET.

Fix: Use a different host prefix.

Error: DeploymentFailed – Error downloading

Example of raw error:

Error

\\\"The DSC Extension failed to execute: Error downloading

https://catalogartifact.azureedge.net/publicartifacts/rds.wvd-provision-
host-pool-
2dec7a4d-006c-4cc0-965a-02bbe438d6ff-prod
/Artifacts/DSC/Configuration.zip after 29 attempts: The remote name could
not be
resolved: 'catalogartifact.azureedge.net'.\\nMore information about the
failure can
be found in the logs located under
'C:\\\\WindowsAzure\\\\Logs\\\\Plugins\\\\Microsoft.Powershell.DSC\\\\2.77.0
.0' on
the VM.\\\"
Cause: This error is due to a static route, firewall rule, or NSG blocking the download of
the zip file tied to the Azure Resource Manager template.

Fix: Remove blocking static route, firewall rule, or NSG. Optionally, open the Azure
Resource Manager template json file in a text editor, take the link to zip file, and
download the resource to an allowed location.

Error: Can't delete a session host from the host pool after
deleting the VM
Cause: You need to delete the session host before you delete the VM.

Fix: Put the session host in drain mode, sign out all users from the session host, then
delete the host.

Next steps
For an overview on troubleshooting Azure Virtual Desktop and the escalation
tracks, see Troubleshooting overview, feedback, and support.
To troubleshoot issues while configuring a virtual machine (VM) in Azure Virtual
Desktop, see Session host virtual machine configuration.
To troubleshoot issues related to the Azure Virtual Desktop agent or session
connectivity, see Troubleshoot common Azure Virtual Desktop Agent issues.
To troubleshoot issues with Azure Virtual Desktop client connections, see Azure
Virtual Desktop service connections.
To troubleshoot issues with Remote Desktop clients, see Troubleshoot the Remote
Desktop client
To troubleshoot issues when using PowerShell with Azure Virtual Desktop, see
Azure Virtual Desktop PowerShell.
To learn more about the service, see Azure Virtual Desktop environment.
To go through a troubleshoot tutorial, see Tutorial: Troubleshoot Resource
Manager template deployments.
To learn about auditing actions, see Audit operations with Resource Manager.
To learn about actions to determine the errors during deployment, see View
deployment operations.
Troubleshoot the Azure Virtual Desktop
quickstart
Article • 05/07/2024

The Azure Virtual Desktop quickstart uses nested templates to deploy Azure resources
for validation and automation in Azure Virtual Desktop. The quickstart creates either two
or three resource groups based on whether the subscription it's running on has existing
Active Directory Domain Services (AD DS) or Microsoft Entra Domain Services or not. All
resource groups start with the same user-defined prefix.

When you run the nested templates, they create three resource groups and a template
that provisions Azure Resource Manager resources. The following lists show each
resource group and the templates they run.

The resource group that ends in "-deployment" runs these templates:

easy-button-roleassignment-job-linked-template
easy-button-prerequisitecompletion-job-linked-template
easy-button-prerequisite-job-linked-template
easy-button-inputvalidation-job-linked-template
easy-button-deploymentResources-linked-template
easy-button-prerequisite-user-setup-linked-template

７ Note

The easy-button-prerequisite-user-setup-linked-template is optional and will only

appear if you created a validation user.

The resource group that ends in "-wvd" runs these templates:

NSG-linkedTemplate
vmCreation-linkedTemplate
Workspace-linkedTemplate
wvd-resources-linked-template
easy-button-wvdsetup-linked-template

The resource group that ends in "-prerequisite" runs these templates:

easy-button-prerequisite-resources-linked-template

７ Note
 This resource group is optional, and will only appear if your subscription doesn't
have Microsoft Entra Domain Services or AD DS.

No subscriptions
In this issue, you see an error message that says "no subscriptions" when opening the
quickstart. This happens when you try to open the feature without an active Azure
subscription.

To fix this issue, check to see if your subscription or the affected user has an active Azure
subscription. If they don't, assign the user the Owner Role-based Access Control (RBAC)
role on their subscription.

You don’t have permissions

This issue happens when you open the quickstart and get an error message that says,
"You don't have permissions." This message appears when the user running the feature
doesn't have Owner permissions on their active Azure subscription.

To fix this issue, sign in with an Azure account that has Owner permissions, then assign
the Owner RBAC role to the affected account.

Fields under Virtual Machine tab are grayed

out
This issue happens when you open the Virtual machine tab and see that the fields
under "Do you want users to share this machine?" are grayed out. This issue then
prevents you from changing the image type, selecting an image to use, or changing the
VM size.

This issue happens when you run the feature with a prefix that was already used to start
a deployment. When the feature creates a deployment, it creates an object to represent
the deployment in Azure. Certain values in the object, like the image, become attached
to that object to prevent multiple objects from using the same images.

To fix this issue, you can either delete all resource groups with the existing prefix or use
a new prefix.

Username must not include reserved words

This issue happens when the quickstart won't accept the new username you enter into
the field.

This error message appears because Azure doesn't allow certain words in usernames for
public endpoints. For a full list of blocked words, see Resolve reserved resource name
errors.

To resolve this issue, either try a new word or add letters to the blocked word to make it
unique. For example, if the word "admin" is blocked, try using "AVDadmin" instead.

The value must be between 12 and 72

characters long
This error message appears when entering a password that is either too long or too
short to meet the character length requirement. Azure password length and complexity
requirements even apply to fields that you later use in Windows, which has less strict
requirements.

To resolve this issue, make sure you use an account that follows Microsoft's password
guidelines or uses Microsoft Entra Password Protection.

Error messages for easy-button-prerequisite-

user-setup-linked-template
If the AD DS VM you're using already has an extension named Microsoft.Powershell.DSC
associated with it, you'll see an error message that looks like this:

azure

"error": {
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed.
Please list deployment operations for details. Please see
https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "Conflict",
"message": "{\r\n \"status\": \"Failed\",\r\n \"error\":
{\r\n \"code\": \"ResourceDeploymentFailure\",\r\n \"message\": \"The
resource operation completed with terminal provisioning state
'Failed'.\",\r\n \"details\": [\r\n {\r\n \"code\":
\"VMExtensionProvisioningError\",\r\n \"message\": \"VM has reported
a failure when processing extension 'Microsoft.Powershell.DSC'. Error
message: \\\"DSC Configuration 'AddADDSUser' completed with error(s).
Following are the first few: PowerShell DSC resource MSFT_ScriptResource
 failed to execute Set-TargetResource functionality with error message: Some
error occurred in DSC CreateUser SetScript: \\r\\n\\r\\nException
: Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException: Cannot
find an object with \\r\\n identity: 'Adam S' under:
'DC=GT090617,DC=onmicrosoft,DC=com'.\\r\\n at
Microsoft.ActiveDirectory.Management.Commands.ADFactoryUtil.GetObjectFromIde
ntitySearcher(\\r\\n ADObjectSearcher searcher,
ADEntity identityObj, String searchRoot, AttributeSetRequest attrs, \\r\\n
CmdletSessionInfo cmdletSessionInfo, String[]& warningMessages)\\r\\n
at \\r\\n
Microsoft.ActiveDirectory.Management.Commands.ADFactory`1.GetDirectoryObject
FromIdentity(T \\r\\n identityObj, String searchRoot,
Boolean showDeleted)\\r\\n at \\r\\n
Microsoft.ActiveDirectory.Management.Commands.SetADGroupMember`1.ValidateMem
bersParameter()\\r\\nTargetObject : Adam S\\r\\nCategoryInfo
: ObjectNotFound: (Adam S:ADPrincipal) [Add-ADGroupMember],
ADIdentityNotFoundException\\r\\nFullyQualifiedErrorId :
SetADGroupMember.ValidateMembersParameter,Microsoft.ActiveDirectory.Manageme
nt.Commands.AddADGro\\r\\n upMember\\r\\nErrorDetails
: \\r\\nInvocationInfo :
System.Management.Automation.InvocationInfo\\r\\nScriptStackTrace : at
<ScriptBlock>,
C:\\\\Packages\\\\Plugins\\\\Microsoft.Powershell.DSC\\\\2.83.1.0\\\\DSCWork
\\\\DSCADUserCreatio\\r\\n nScripts_2020-04-
28.2\\\\Script-CreateADDSUser.ps1: line 98\\r\\n at
<ScriptBlock>, <No file>: line 8\\r\\n at
ScriptExecutionHelper,
C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\PSDesir
edStateConfi\\r\\n
guration\\\\DscResources\\\\MSFT_ScriptResource\\\\MSFT_ScriptResource.psm1:
line 270\\r\\n at Set-TargetResource,
C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\PSDesir
edStateConfigur\\r\\n
ation\\\\DscResources\\\\MSFT_ScriptResource\\\\MSFT_ScriptResource.psm1:
line 144\\r\\nPipelineIterationInfo : {}\\r\\nPSMessageDetails :
\\r\\n\\r\\n\\r\\n\\r\\n The SendConfigurationApply function did not
succeed.\\\"\\r\\n\\r\\nMore information on troubleshooting is available at
https://aka.ms/VMExtensionDSCWindowsTroubleshoot \"\r\n }\r\n ]\r\n
}\r\n}"
}
]
}

To resolve this issue, uninstall the Microsoft.Powershell.DSC extension, then run the
quickstart again.

Error messages for easy-button-prerequisite-

job-linked-template
If you see an error message like this, that means the resource operation for the easy-
button-prerequisite-job-linked-template template didn't complete successfully:

azure

{
"status": "Failed",
"error": {
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed.
Please list deployment operations for details. Please see
https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "Conflict",
"message": "{\r\n \"status\": \"Failed\",\r\n \"error\":
{\r\n \"code\": \"ResourceDeploymentFailure\",\r\n \"message\": \"The
resource operation completed with terminal provisioning state
'Failed'.\"\r\n }\r\n}"
}
]
}
}

To make sure this is the issue you're dealing with:

1. Select easy-button-prerequisite-job-linked-template, then select Ok on the error

message window that pops up.

2. Go to <prefix>-deployment resource group and select resourceSetupRunbook.

3. Select the status, which should say Failed.

4. Select the Exception tab. You should see an error message that looks like this:

azure

The running command stopped because the preference variable

"ErrorActionPreference" or common parameter is set to Stop: Error while
creating and adding validation user <your-username-here> to group
<your-resource-group-here>

There currently isn't a way to fix this issue permanently. As a workaround, run The Azure
Virtual Desktop quickstart again, but this time don't create a validation user. After that,
create your new users with the manual process only.
Validate that the domain administrator UPN exists for a
new profile
To check if the UPN address is causing the issue with the template:

1. Select easy-button-prerequisite-job-linked-template and then on the failed step.

Confirm the error message.

2. Navigate to the <prefix>-deployment resource group and click on the

resourceSetupRunbook.

3. Select the status, which should say Failed.

4. Select the Output tab.

If the UPN exists on your new subscription, there are two potential causes for the issue:

The quickstart didn't create the domain administrator profile, because the user
already exists. To resolve this, run the quickstart again, but this time enter a
username that doesn't already exist in your identity provider.
The quickstart didn't create the validation user profile. To resolve this issue, run the
quickstart again, but this time don't create any validation users. After that, create
new users with the manual process only.

Error messages for easy-button-

inputvalidation-job-linked-template
If there's an issue with the easy-button-inputvalidation-job-linked-template template,
you'll see an error message that looks like this:

azure

{
"status": "Failed",
"error": {
"code": "ResourceDeploymentFailure",
"message": "The resource operation completed with terminal
provisioning state 'Failed'."
}
}

To make sure this is the issue you've encountered:

 1. Open the <prefix>-deployment resource group and look for
inputValidationRunbook.

2. Under recent jobs there will be a job with failed status. Click on Failed.

3. In the job details window, select Exception.

This error happens when the Azure admin UPN you entered isn't correct. To resolve this
issue, make sure you're entering the correct username and password, then try again.

Multiple VMExtensions per handler not

supported
When you run the quickstart on a subscription that has Microsoft Entra Domain Services
or AD DS, then the feature will use a Microsoft.Powershell.DSC extension to create
validation users and configure FSLogix. However, Windows VMs in Azure can't run more
than one of the same type of extension at the same time.

If you try to run multiple versions of Microsoft.Powershell.DSC, you'll get an error

message that looks like this:

azure

{
"status": "Failed",
"error": {
"code": "BadRequest",
"message": "Multiple VMExtensions per handler not supported for OS
type 'Windows'. VMExtension 'Microsoft.Powershell.DSC' with handler
'Microsoft.Powershell.DSC' already added or specified in input."
}
}

To resolve this issue, before you run the quickstart, make sure to remove any currently
running instance of Microsoft.Powershell.DSC from the domain controller VM.

Failure in easy-button-prerequisitecompletion-
job-linked-template
The user group for the validation users is located in the "USERS" container. However, the
user group must be synced to Microsoft Entra ID in order to work properly. If it isn't,
you'll get an error message that looks like this:
 azure

{
"status": "Failed",
"error": {
"code": "ResourceDeploymentFailure",
"message": "The resource operation completed with terminal
provisioning state ‘Failed’."
}
}

To make sure the issue is caused by the validation user group not syncing, open the
<prefix>-prerequisites resource group and look for a file named
prerequisiteSetupCompletionRunbook. Select the runbook, then select All Logs.

To resolve this issue:

1. Enable syncing with Microsoft Entra ID for the "USERS" container.

2. Create the AVDValidationUsers group in an organization unit that's syncing with

Azure.

Next steps
Learn more about the quickstart at Deploy Azure Virtual Desktop with the quickstart.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Troubleshoot session host update in
Azure Virtual Desktop
Article • 10/22/2024

） Important

Session host update for Azure Virtual Desktop is currently in PREVIEW. This preview
is provided as-is, with all faults and as available, and are excluded from the service-
level agreements (SLAs) or any limited warranties Microsoft provides for Azure
services in general availability. To register for the limited preview, complete this
form: https://forms.office.com/r/ZziQRGR1Lz .

See the Supplemental Terms of Use for Microsoft Azure Previews for legal
terms that apply to Azure features that are in beta, preview, or otherwise not yet
released into general availability.

Session host update in Azure Virtual Desktop enables you to easily update session host
virtual machines (VMs) in a host pool with a session host configuration. This article helps
troubleshoot some issues you could run into.

Session host configuration failed to create

when creating a host pool
When a session host configuration is created, the parameters provided for the
configuration are checked during extended validation. Validation can fail if the service
concludes that it will be unable to successfully create session hosts with the provided
parameters. As the Azure resources are stored in your subscription, they can be
modified by other processes; session host creation can still fail using the session host
configuration even after this validation check is completed.

Here are some example failures:

VM availability: the combination of VM SKU name, region, availability zone, and

subscription isn't available. Some of the errors that can result include
VmSkuNotAvailableInRegion , VmSkuNotAvailableInRegionDueToRestriction , and

AvailabilityZoneNotAvailable . You need to review the availability of VM sizes and

availability zones for your chosen region and subscription quota and provide a
 supported combination. Use the PowerShell cmdlet Get-AzComputeResourceSku
to identify the restrictions for a given combination of a VM SKU and region.

Parameter compatibility: the combination of VM SKU, disk, image, and virtual

network isn't compatible. Some of the errors that can result include
ComputeSkuIncompatibleWithImageHyperVGeneration , ImageDiskTypeIncompatible ,

VnetLocationIncompatible . Review the prerequisites for Azure Virtual Desktop to

ensure the provided parameters meet the requirements for session host creation.

If the session host configuration fails to create when creating a host pool, you aren't
able to create a session host configuration for this host pool using the Azure portal. You
can use PowerShell to create the session host configuration using the New-
AzWvdSessionHostConfiguration cmdlet. Alternatively, you can delete the host pool and

recreate it.

Error: SessionHostConfiguration doesn't exist

If you get the error Error: SessionHostConfiguration does not exist when using the
PowerShell cmdlet Get-AzWvdSessionHostConfiguration , create the session host
configuration using the New-AzWvdSessionHostConfiguration cmdlet.

Failed updates
When you update session hosts using session host update, it's possible that an
individual session host fails to update. In this case, session host update attempts to roll
back the update on that session host. The intention for the rollback is to maintain the
capacity of the entire host pool, even though this session host is rolled back to a
previous version of the session host configuration, rather than forcing the session host
to be unavailable and reducing the capacity of the host pool. Other session hosts in the
host pool that successfully updated aren't rolled back. Session hosts that didn't start
updating aren't updated.

Once a session host fails to update, session host update completes updating the current
batch of session hosts, then marks the update as failed. In this scenario, the only options
are to retry the update or cancel it. If you retry the update, session host update again
attempts to update the session hosts that failed, plus the remaining session hosts not
previously attempted. The existing batch size is used.

If a session host fails to roll back successfully, it isn't available to host session and
capacity is reduced. The session host isn't the same as the other session hosts in the
host pool and it match the session host configuration. You should investigate why the
update of the session host failed and resolve the issue before scheduling a new update.
Once you schedule a new update, session host update attempts to update the session
hosts that failed so they all match, plus any session hosts that weren't started in the
previous update attempt.

An update can fail with the following status:

ﾉ Expand table

Status Description

Update failed The update flow is incorrect. For example, an image that's incompatible with the
to initiate virtual machine SKU. You can't retry the update; you need to cancel it and
schedule a new update.

Update failed The update failed while it was in progress. If you retry the update, it continues
with the session host it stopped at previously.

Session host If a session host fails to update, session host update tries to roll back the update
rollback failed on that session host. If the rollback fails and you retry the update, it continues
with the session host it stopped at previously.

You can get any errors for an update by following the steps to Monitor the progress of
an update. When you use Azure PowerShell, the variable $updateProgress contains error
details in the following properties:

$updateProgress.PropertiesUpdateStatus
$updateProgress.UpdateProgressError

$updateProgress.UpdateProgressError.FaultText

Once you identify the issue, you can either retry the update, or cancel it and schedule a
new update.

An update failed to initiate

When a session host update is initiated, the service validates whether it will be able to
successfully complete the update. When a session host update fails prior to starting, the
update ends and changes can be made to the session host configuration. As the Azure
resources are stored in your subscription, they can be modified by other processes;
session host creation can still fail using the session host configuration even after this
validation check is completed.

Here are some example failures that prevent an update from starting:
 No session hosts to update: the error HostpoolHasNoSessionHosts is returned when
there are no session hosts to update as part of the session host update. If you
didn't make changes to the session host configuration prior to initiating an update,
this error is returned.

Capacity issues: validation checks for sufficient capacity in your virtual network
subnet and VM core quota. This check does not guarantee capacity during an
update; creation of other resources outside of session host update can result in
errors mid-update associated with capacity limits. Set your batch size to be within
the remaining quota for your subscription.

Parameter consistency with current session hosts: session host update doesn't
support changing the region, subscription, resource group, or domain join type for
a session host. If the session host configuration contains properties in these fields
that differ from the session hosts in the host pool, the update fails to start. You
should remove the session hosts that are inconsistent with the configuration.

Failures during an update

Session host update starts with an initial batch size of 1 to validate that the provided
session host configuration will result in healthy session hosts. Failures that occur during
the first validation batch are most often be due to parameters within the session host
configuration and are typically not resolved by retrying the update. Failures that occur
after the validation batch are often intermittent and can be resolved by retrying the
update.

Here are some example failures that can occur during an update:

VM creation failures: VM creation can fail for a variety of reasons not specific to
Azure Virtual Desktop, for example the exhaustion of subscription capacity, or
issues with the provided image. You should review the error message provided to
determine the appropriate remediation. Open a support case with Azure support if
you need further assistance.

Agent installation, domain join, and session host health errors or timeout: Agent,
domain join, and other session host health errors that occur in the first validation
batch can often be resolved by reviewing guidance for addressing deployment and
domain join failures for Azure Virtual Desktop, and by ensuring your image doesn't
have the PowerShell DSC extension installed. If the extension is installed on the
image, remove the folder C:\packages\plugin from the image. If the failure is
intermittent, with some session hosts successfully updating and others
 encountering an error such as AgentRegistrationFailureGeneric , retrying the
update can often resolve the issue.

Resource modification and access errors: modifying resources that are impacted
in the update can result in errors during an update. Some of the errors that can
result include deletion of resources and resource groups, changes to permissions,
changes to power state, and changes to drain mode. In addition, if your Azure
resources are locked and/or Azure policy limits the Azure Virtual Desktop service
from modifying your session hosts, the update fails. Review Azure activity logs if
you encounter related errors. Open a support case with Azure support if you need
further assistance.

Incompatible parameters passed to New-

AzWvdSessionHostConfiguration
You can pass incompatible parameters to the New-AzWvdSessionHostConfiguration
PowerShell cmdlet. For example, if you specify the parameter DomainInfoJoinType as
AzureActiveDirectory, but also specify the parameter ActiveDirectoryInfoDomainName
with an Active Directory domain name, the domain name is ignored without returning
an error.

Next steps
Example diagnostic queries for session host update in Azure Virtual Desktop

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Session host virtual machine
configuration
Article • 04/25/2023

） Important

This content applies to Azure Virtual Desktop with Azure Resource Manager Azure
Virtual Desktop objects. If you're using Azure Virtual Desktop (classic) without
Azure Resource Manager objects, see this article.

Use this article to troubleshoot issues you're having when configuring the Azure Virtual
Desktop session host virtual machines (VMs).

Provide feedback
Visit the Azure Virtual Desktop Tech Community to discuss the Azure Virtual Desktop
service with the product team and active community members.

VMs aren't joined to the domain

Follow these instructions if you're having issues joining virtual machines (VMs) to the
domain.

Join the VM manually using the process in Join a Windows Server virtual machine
to a managed domain or using the domain join template .
Try pinging the domain name from a command line on the VM.
Review the list of domain join error messages in Troubleshooting Domain Join
Error Messages .

Error: Incorrect credentials

Cause: There was a typo made when the credentials were entered in the Azure Resource
Manager template interface fixes.

Fix: Take one of the following actions to resolve.

Manually add the VMs to a domain.

Redeploy the template once credentials have been confirmed. See Create a host
pool with PowerShell.
 Join VMs to a domain using a template with Joins an existing Windows VM to AD
Domain .

Error: Timeout waiting for user input

Cause: The account used to complete the domain join may have multifactor
authentication (MFA).

Fix: Take one of the following actions to resolve.

Temporarily remove MFA for the account.

Use a service account.

Error: The account used during provisioning doesn't have

permissions to complete the operation
Cause: The account being used doesn't have permissions to join VMs to the domain due
to compliance and regulations.

Fix: Take one of the following actions to resolve.

Use an account that is a member of the Administrator group.

Grant the necessary permissions to the account being used.

Error: Domain name doesn't resolve

Cause 1: VMs are on a virtual network that's not associated with the virtual network
(VNET) where the domain is located.

Fix 1: Create VNET peering between the VNET where VMs were provisioned and the
VNET where the domain controller (DC) is running. See Create a virtual network peering
- Resource Manager, different subscriptions.

Cause 2: When using Azure Active Directory Domain Services (Azure AD DS), the virtual
network doesn't have its DNS server settings updated to point to the managed domain
controllers.

Fix 2: To update the DNS settings for the virtual network containing Azure AD DS, see
Update DNS settings for the Azure virtual network.

Cause 3: The network interface's DNS server settings don't point to the appropriate DNS
server on the virtual network.
Fix 3: Take one of the following actions to resolve, following the steps in [Change DNS
servers].

Change the network interface's DNS server settings to Custom with the steps from
Change DNS servers and specify the private IP addresses of the DNS servers on the
virtual network.
Change the network interface's DNS server settings to Inherit from virtual
network with the steps from Change DNS servers, then change the virtual
network's DNS server settings with the steps from Change DNS servers.

Azure Virtual Desktop Agent and Azure Virtual

Desktop Boot Loader aren't installed
The recommended way to provision VMs is using the Azure portal creation template.
The template automatically installs the Azure Virtual Desktop Agent and Azure Virtual
Desktop Agent Boot Loader.

Follow these instructions to confirm the components are installed and to check for error
messages.

1. Confirm that the two components are installed by checking in Control Panel >
Programs > Programs and Features. If Azure Virtual Desktop Agent and Azure
Virtual Desktop Agent Boot Loader aren't visible, they aren't installed on the VM.
2. Open File Explorer and navigate to C:\Windows\Temp\ScriptLog.log. If the file is
missing, it indicates that the PowerShell DSC that installed the two components
wasn't able to run in the security context provided.
3. If the file C:\Windows\Temp\ScriptLog.log is present, open it and check for error
messages.

Error: Azure Virtual Desktop Agent and Azure Virtual

Desktop Agent Boot Loader are missing.
C:\Windows\Temp\ScriptLog.log is also missing
Cause 1: Credentials provided during input for the Azure Resource Manager template
were incorrect or permissions were insufficient.

Fix 1: Manually add the missing components to the VMs using Create a host pool with
PowerShell.

Cause 2: PowerShell DSC was able to start and execute but failed to complete as it can't
sign in to Azure Virtual Desktop and obtain needed information.
Fix 2: Confirm the items in the following list.

Make sure the account doesn't have MFA.

Confirm the host pool's name is accurate and the host pool exists in Azure Virtual
Desktop.
Confirm the account has at least Contributor permissions on the Azure
subscription or resource group.

Error: Authentication failed, error in

C:\Windows\Temp\ScriptLog.log
Cause: PowerShell DSC was able to execute but couldn't connect to Azure Virtual
Desktop.

Fix: Confirm the items in the following list.

Manually register the VMs with the Azure Virtual Desktop service.
Confirm account used for connecting to Azure Virtual Desktop has permissions on
the Azure subscription or resource group to create host pools.
Confirm account doesn't have MFA.

Azure Virtual Desktop Agent isn't registering

with the Azure Virtual Desktop service
When the Azure Virtual Desktop Agent is first installed on session host VMs (either
manually or through the Azure Resource Manager template and PowerShell DSC), it
provides a registration token. The following section covers troubleshooting issues that
apply to the Azure Virtual Desktop Agent and the token.

Error: The status filed in Get-AzWvdSessionHost cmdlet

shows status as Unavailable
Cause: The agent isn't able to update itself to a new version.

Fix: Follow these instructions to manually update the agent.

1. Download a new version of the agent on the session host VM.

2. Launch Task Manager and, in the Service Tab, stop the RDAgentBootLoader service.
3. Run the installer for the new version of the Azure Virtual Desktop Agent.
4. When prompted for the registration token, remove the entry INVALID_TOKEN and
press next (a new token isn't required).
5. Complete the installation Wizard.
6. Open Task Manager and start the RDAgentBootLoader service.

Error: Azure Virtual Desktop Agent registry

entry IsRegistered shows a value of 0
Cause: Registration token has expired.

Fix: Follow these instructions to fix the agent registry error.

1. If there's already a registration token, remove it with Remove-

AzWvdRegistrationInfo.
2. Run the New-AzWvdRegistrationInfo cmdlet to generate a new token.
3. Confirm that the -ExpriationTime parameter is set to three days.

Error: Azure Virtual Desktop agent isn't reporting a

heartbeat when running Get-AzWvdSessionHost
Cause 1: RDAgentBootLoader service has been stopped.

Fix 1: Launch Task Manager and, if the Service Tab reports a stopped status for
RDAgentBootLoader service, start the service.
Cause 2: Port 443 may be closed.

Fix 2: Follow these instructions to open port 443.

1. Confirm port 443 is open by downloading the PSPing tool from Sysinternal tools.

2. Install PSPing on the session host VM where the agent is running.

3. Open the command prompt as an administrator and issue the command below:

Windows Command Prompt

psping rdbroker.wvdselfhost.microsoft.com:443

4. Confirm that PSPing received information back from the RDBroker:

PsPing v2.10 - PsPing - ping, latency, bandwidth measurement utility

Copyright (C) 2012-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
TCP connect to 13.77.160.237:443:
5 iterations (warmup 1) ping test:
Connecting to 13.77.160.237:443 (warmup): from 172.20.17.140:60649:
2.00ms
Connecting to 13.77.160.237:443: from 172.20.17.140:60650: 3.83ms
Connecting to 13.77.160.237:443: from 172.20.17.140:60652: 2.21ms
Connecting to 13.77.160.237:443: from 172.20.17.140:60653: 2.14ms
Connecting to 13.77.160.237:443: from 172.20.17.140:60654: 2.12ms
TCP connect statistics for 13.77.160.237:443:
Sent = 4, Received = 4, Lost = 0 (0% loss),
Minimum = 2.12ms, Maximum = 3.83ms, Average = 2.58ms

Troubleshooting issues with the Azure Virtual

Desktop side-by-side stack
There are three main ways the side-by-side stack gets installed or enabled on session
host pool VMs:

With the Azure portal creation template

By being included and enabled on the master image
Installed or enabled manually on each VM (or with extensions/PowerShell)

If you're having issues with the Azure Virtual Desktop side-by-side stack, type the
qwinsta command from the command prompt to confirm that the side-by-side stack is
installed or enabled.
The output of qwinsta will list rdp-sxs in the output if the side-by-side stack is installed
and enabled.

Examine the registry entries listed below and confirm that their values match. If registry
keys are missing or values are mismatched, make sure you're running a supported
operating system. If you are, follow the instructions in Register session hosts to a host
pool for how to reinstall the side-by-side stack.

registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\WinStations\rds-sxs\"fEnableWinstation":DWORD=1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\ClusterSettings\"SessionDirectoryListener":rdp-sxs

Error: O_REVERSE_CONNECT_STACK_FAILURE

Cause: The side-by-side stack isn't installed on the session host VM.

Fix: Follow these instructions to install the side-by-side stack on the session host VM.

1. Use Remote Desktop Protocol (RDP) to get directly into the session host VM as
local administrator.
 2. Install the side-by-side stack by following the steps to Register session hosts to a
host pool.

How to fix an Azure Virtual Desktop side-by-

side stack that malfunctions
There are known circumstances that can cause the side-by-side stack to malfunction:

Not following the correct order of the steps to enable the side-by-side stack
Auto update to Windows 10 Enhanced Versatile Disc (EVD)
Missing the Remote Desktop Session Host (RDSH) role

The instructions in this section can help you uninstall the Azure Virtual Desktop side-by-
side stack. Once you uninstall the side-by-side stack, follow the steps to Register session
hosts to a host pool to reinstall the side-by-side stack.

The VM used to run remediation must be on the same subnet and domain as the VM
with the malfunctioning side-by-side stack.

Follow these instructions to run remediation from the same subnet and domain:

1. Connect with standard Remote Desktop Protocol (RDP) to the VM from where fix
will be applied.

2. Download and install PsExec.

3. Start command prompt as local administrator, then navigate to folder where

PsExec was unzipped.

4. From command prompt, use the following command, where <VMname> is the
hostname name of the VM with the malfunctioning side-by-side stack. If this is the
first time you have run PsExec, you'll also need to accept the PsExec License
Agreement to continue by clicking Agree.

Windows Command Prompt

psexec.exe \\<VMname> cmd

5. After the command prompt session opens on the VM with the malfunctioning
side-by-side stack, run the following command and confirm that an entry named
rdp-sxs is available. If not, a side-by-side stack isn't present on the VM so the issue
isn't tied to the side-by-side stack.
 Windows Command Prompt

qwinsta

6. Run the following command, which will list Microsoft components installed on the
VM with the malfunctioning side-by-side stack.

Windows Command Prompt

wmic product get name

7. Run the command below with product names from step above, for example:

Windows Command Prompt

wmic product where name="<Remote Desktop Services Infrastructure

Agent>" call uninstall

8. Uninstall all products that start with Remote Desktop.

9. After all Azure Virtual Desktop components have been uninstalled, restart the VM
that had the malfunctioning side-by-side stack (either with Azure portal or from
the PsExec tool). You can then reinstall the side-by-side stack by following the
steps to Register session hosts to a host pool.

Remote Desktop licensing mode isn't

configured
If you sign in to Windows 10 Enterprise multi-session using an administrative account,
you might receive a notification that says, "Remote Desktop licensing mode isn't
configured, Remote Desktop Services will stop working in X days. On the Connection
Broker server, use Server Manager to specify the Remote Desktop licensing mode."
If the time limit expires, an error message will appear that says, "The remote session was
disconnected because there are no Remote Desktop client access licenses available for
this computer."

If you see either of these messages, it means the image doesn't have the latest Windows
updates installed or you're setting the Remote Desktop licensing mode through group
policy. Follow the steps in the next sections to check the group policy setting, identify
the version of Windows 10 Enterprise multi-session, and install the corresponding
update.

７ Note

Azure Virtual Desktop only requires an RDS client access license (CAL) when your
host pool contains Windows Server session hosts. To learn how to configure an RDS
CAL, see License your RDS deployment with client access licenses.

Disable the Remote Desktop licensing mode group policy

setting
Check the group policy setting by opening the Group Policy Editor in the VM and
navigating to Administrative Templates > Windows Components > Remote Desktop
Services > Remote Desktop Session Host > Licensing > Set the Remote Desktop
licensing mode. If the group policy setting is Enabled, change it to Disabled. If it's
already disabled, then leave it as-is.

７ Note

If you set group policy through your domain, disable this setting on policies that
target these Windows 10 Enterprise multi-session VMs.

Identify which version of Windows 10 Enterprise multi-

session you're using
To check which version of Windows 10 Enterprise multi-session you have:

1. Sign in with your admin account.

2. Enter "About" into the search bar next to the Start menu.

3. Select About your PC.

 4. Check the number next to "Version." The number should be either "1809" or
"1903," as shown in the following image.

Now that you know your version number, skip ahead to the relevant section.

Version 1809
If your version number says "1809," install the KB4516077 update .

Version 1903
Redeploy the host operating system with the latest version of the Windows 10, version
1903 image from the Azure Gallery.

We couldn't connect to the remote PC because

of a security error
If your users see an error that says, "We couldn't connect to the remote PC because of a
security error. If this keeps happening, ask your admin or tech support for help," validate
any existing policies that change default RDP permissions. One policy that might cause
this error to appear is "Allow log on through Remote Desktop Services security policy."

To learn more about this policy, see Allow log on through Remote Desktop Services.

I can't deploy the golden image

Golden images must not include the Azure Virtual Desktop agent. You can install the
agent only after you deploy the golden image.

Next steps
For an overview on troubleshooting Azure Virtual Desktop and the escalation
tracks, see Troubleshooting overview, feedback, and support.
To troubleshoot issues while creating a host pool in an Azure Virtual Desktop
environment, see Environment and host pool creation.
To troubleshoot issues while configuring a virtual machine (VM) in Azure Virtual
Desktop, see Session host virtual machine configuration.
To troubleshoot issues related to the Azure Virtual Desktop agent or session
connectivity, see Troubleshoot common Azure Virtual Desktop Agent issues.
To troubleshoot issues with Azure Virtual Desktop client connections, see Azure
Virtual Desktop service connections.
To troubleshoot issues with Remote Desktop clients, see Troubleshoot the Remote
Desktop client
To troubleshoot issues when using PowerShell with Azure Virtual Desktop, see
Azure Virtual Desktop PowerShell.
To learn more about the service, see Azure Virtual Desktop environment.
To go through a troubleshoot tutorial, see Tutorial: Troubleshoot Resource
Manager template deployments.
To learn about auditing actions, see Audit operations with Resource Manager.
To learn about actions to determine the errors during deployment, see View
deployment operations.
Session host statuses and health checks
in Azure Virtual Desktop
Article • 03/05/2024

The Azure Virtual Desktop Agent regularly runs health checks on the session host. The
agent assigns these health checks various statuses that include descriptions of how to
fix common issues. This article tells you what each status means and how to act on them
during a health check.

Session host statuses

The following table lists all statuses for session hosts in the Azure portal each potential
status. Available is considered the ideal default status. Any other statuses represent
potential issues that you need to take care of to ensure the service works properly.

７ Note

If an issue is listed as non-fatal, the service can still run with the issue active.
However, we recommend you resolve the issue as soon as possible to prevent
future issues. If an issue is listed as fatal, it prevents the service from running. You
must resolve all fatal issues to make sure your users can access the session host.

ﾉ Expand table

Session Description Load How to resolve related

host status balancing issues

Available This status means that the session New user N/A
host passed all health checks and sessions are
is available to accept user load
connections. If a session host has balanced
reached its maximum session limit here.
but has passed health checks, it's
still listed as “Available."

Needs The session host didn't pass one or New user Follow the directions in Error:
Assistance more of the following non-fatal sessions are Session hosts are stuck in
health checks: the Geneva load "Needs Assistance" state to
Monitoring Agent health check, balanced resolve the issue.
the Azure Instance Metadata here.
Service (IMDS) health check, or the
URL health check. In this state,
Session Description Load How to resolve related
host status balancing issues

users can connect to VMs, but their

user experience may degrade. You
can find which health checks failed
in the Azure portal by going to the
Session hosts tab and selecting
the name of your session host.

Shutdown The session host has been shut Not Turn on the session host.
down. If the agent enters a available
shutdown state before connecting for load
to the broker, its status changes to balancing.
Unavailable. If you've shut down
your session host and see an
Unavailable status, that means the
session host shut down before it
could update the status, and
doesn't indicate an issue. You
should use this status with the VM
instance view API to determine the
power state of the VM.

Unavailable The session host is either turned
off or hasn't passed fatal health
checks, which prevents user
sessions from connecting to this
session host.
Not If the session host is off, turn it
available back on. If the session host
for load didn't pass the domain join
balancing. check or side-by-side stack
listener health checks, refer to
the table in Health check for
ways to resolve the issue. If
the status is still "Unavailable"
after following those
directions, open a support
case.

Upgrade This status means that the Azure New user Follow the instructions in the
Failed Virtual Desktop Agent couldn't sessions are Azure Virtual Desktop Agent
update or upgrade. This status load troubleshooting article.
doesn't affect new nor existing balanced
user sessions. here.

Upgrading This status means that the agent New user If your session host is stuck in
upgrade is in progress. This status sessions are the "Upgrading" state, then
updates to “Available” once the load reinstall the agent.
upgrade is done and the session balanced
host can accept connections again. here.

Health check
The health check is a test run by the agent on the session host. The following table lists
each type of health check and describes what it does.

ﾉ Expand table

Health check Description What happens if the session host doesn't

name pass the check

Domain Verifies that the session host is If this check fails, users won't be able to
joined joined to a domain controller. connect to the session host. To solve this
issue, join your session host to a domain.

Geneva Verifies that the session host has a
Monitoring healthy monitoring agent by
Agent checking if the monitoring agent
is installed and running in the
expected registry location.
If this check fails, it's semi-fatal. There may
be successful connections, but they'll
contain no logging information. To resolve
this issue, make sure a monitoring agent is
installed. If it's already installed, contact
Microsoft support.

Side-by-side Verifies that the side-by-side stack If this check fails, it's fatal, and users won't
(SxS) Stack is up and running, listening, and be able to connect to the session host. Try
Listener ready to receive connections. restarting your virtual machine (VM). If
restarting doesn't work, contact Microsoft
support.

App attach Verifies that the app attach or If this check fails, it isn't fatal. However,
health check MSIX app attach service is certain apps stop working for end-users.
working as intended during
package staging or destaging.

Domain trust Verifies the session host isn't
check experiencing domain trust issues
that could prevent authentication
when a user connects to a
session.
If this check fails, it's fatal. The service won't
be able to connect if it can't reach the
authentication domain for the session host.

Metadata Verifies the metadata service is If this check fails, it isn't fatal.
service check accessible and returns compute
properties.

Next steps
For an overview on troubleshooting Azure Virtual Desktop and the escalation
tracks, see Troubleshooting overview, feedback, and support.
To troubleshoot issues while creating an Azure Virtual Desktop environment and
host pool in an Azure Virtual Desktop environment, see Environment and host pool
creation.
 To troubleshoot issues while configuring a virtual machine (VM) in Azure Virtual
Desktop, see Session host virtual machine configuration.
To troubleshoot issues related to the Azure Virtual Desktop agent or session
connectivity, see Troubleshoot common Azure Virtual Desktop Agent issues.
To troubleshoot issues when using PowerShell with Azure Virtual Desktop, see
Azure Virtual Desktop PowerShell.
To go through a troubleshoot tutorial, see Tutorial: Troubleshoot Resource
Manager template deployments.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Management issues
Article • 04/14/2023

This article describes common management errors and gives suggestions for how to
solve them.

Common management errors

The following table lists error messages that appear due to management-related issues
and suggestions for how to solve them.

Error message Suggested solution

Failed to create Registration token couldn't be created. Try creating it again with a shorter
registration key expiry time (between 1 hour and 1 month).

Failed to delete Registration token couldn't be deleted. Try deleting it again. If it still doesn't
registration key work, use PowerShell to check if the token is still there. If it's there, delete it
with PowerShell.

Failed to change Couldn't change drain mode on the VM. Check the VM status. If the VM isn't
session host drain available, you can't change drain mode.
mode

Failed to Couldn't disconnect the user from the VM. Check the VM status. If the VM
disconnect user isn't available, you can't disconnect the user session. If the VM is available,
sessions check the user session status to see if it's disconnected.

Failed to log off Could not sign users out of the VM. Check the VM status. If unavailable, users
all user(s) within can't be signed out. Check user session status to see if they're already signed
the session host out. You can force sign out with PowerShell.

Failed to unassign Could not unpublish an application group for a user. Check to see if user is
user from available on Azure AD. Check to see if the user is part of a user group that
application group the application group is published to.

There was an Check location of VM used in the create host pool wizard. If image is not
error retrieving available in that location, add image in that location or choose a different VM
the available location.
locations

Error: Can't add user assignments to an

application group
After assigning a user to an application group, the Azure portal displays a warning that
says "Session Ending" or "Experiencing Authentication Issues - Extension
Microsoft_Azure_WVD." The assignment page then doesn't load, and after that, pages
stop loading throughout the Azure portal (for example, Azure Monitor, Log Analytics,
Service Health, and so on).

This issue usually appears because there's a problem with the conditional access policy.
The Azure portal is trying to obtain a token for Microsoft Graph, which is dependent on
SharePoint Online. The customer has a conditional access policy called "Microsoft Office
365 Data Storage Terms of Use" that requires users to accept the terms of use to access
data storage. However, they haven't signed in yet, so the Azure portal can't get the
token.

To solve this issue, before signing in to the Azure portal, the admin first needs to sign in
to SharePoint and accept the Terms of Use. After that, they should be able to sign in to
the Azure portal like normal.

Next steps
To review common error scenarios that the diagnostics feature can identify for you, see
Identify and diagnose issues.
Azure Virtual Desktop PowerShell
Article • 10/12/2023

） Important

This content applies to Azure Virtual Desktop with Azure Resource Manager Azure
Virtual Desktop objects. If you're using Azure Virtual Desktop (classic) without
Azure Resource Manager objects, see this article.

Use this article to resolve errors and issues when using PowerShell with Azure Virtual
Desktop. For more information on Remote Desktop Services PowerShell, see Azure
Virtual Desktop PowerShell.

Provide feedback
Visit the Azure Virtual Desktop Tech Community to discuss the Azure Virtual Desktop
service with the product team and active community members.

PowerShell commands used during Azure

Virtual Desktop setup
This section lists PowerShell commands that are typically used while setting up Azure
Virtual Desktop and provides ways to resolve issues that may occur while using them.

Error: New-AzRoleAssignment: The provided information

does not map to an AD object ID
PowerShell

New-AzRoleAssignment -SignInName "[email protected]" -RoleDefinitionName

"Desktop Virtualization User" -ResourceName "0301HP-DAG" -ResourceGroupName
0301RG -ResourceType 'Microsoft.DesktopVirtualization/applicationGroups'

Cause: The user specified by the -SignInName parameter can't be found in the Microsoft
Entra tied to the Azure Virtual Desktop environment.

Fix: Make sure of the following things.

The user should be synced to Microsoft Entra ID.

 The user shouldn't be tied to business-to-consumer (B2C) or business-to-business
(B2B) commerce.
The Azure Virtual Desktop environment should be tied to correct Microsoft Entra
ID.

Error: New-AzRoleAssignment: "The client with object id

does not have authorization to perform action over scope
(code: AuthorizationFailed)"
Cause 1: The account being used doesn't have Owner permissions on the subscription.

Fix 1: A user with Owner permissions needs to execute the role assignment.
Alternatively, the user needs to be assigned to the User Access Administrator role to
assign a user to an application group.

Cause 2: The account being used has Owner permissions but isn't part of the
environment's Microsoft Entra ID or doesn't have permissions to query the Microsoft
Entra ID where the user is located.

Fix 2: A user with Active Directory permissions needs to execute the role assignment.

Error: New-AzWvdHostPool -- the location is not

available for resource type
PowerShell

New-AzWvdHostPool_CreateExpanded: The provided location 'southeastasia' is

not available for resource type 'Microsoft.DesktopVirtualization/hostpools'.
List of available regions for the resource type is
'eastus,eastus2,westus,westus2,northcentralus,southcentralus,westcentralus,c
entralus'.

Cause: Azure Virtual Desktop supports selecting the location of host pools, application
groups, and workspaces to store service metadata in certain locations. Your options are
restricted to where this feature is available. This error means that the feature isn't
available in the location you chose.

Fix: In the error message, a list of supported regions will be published. Use one of the
supported regions instead.

Error: New-AzWvdApplicationGroup must be in same

location as host pool
 PowerShell

New-AzWvdApplicationGroup_CreateExpanded: ActivityId: e5fe6c1d-5f2c-4db9-

817d-e423b8b7d168 Error: ApplicationGroup must be in same location as
associated HostPool

Cause: There's a location mismatch. All host pools, application groups, and workspaces
have a location to store service metadata. Any objects you create that are associated
with each other must be in the same location. For example, if a host pool is in eastus ,
then you also need to create the application groups in eastus . If you create a workspace
to register these application groups to, that workspace needs to be in eastus as well.

Fix: Retrieve the location the host pool was created in, then assign the application group
you're creating to that same location.

Next steps
For an overview on troubleshooting Azure Virtual Desktop and the escalation
tracks, see Troubleshooting overview, feedback, and support.
To troubleshoot issues while setting up your Azure Virtual Desktop environment
and host pools, see Environment and host pool creation.
To troubleshoot issues while configuring a virtual machine (VM) in Azure Virtual
Desktop, see Session host virtual machine configuration.
To troubleshoot issues with Azure Virtual Desktop client connections, see Azure
Virtual Desktop service connections.
To troubleshoot issues with Remote Desktop clients, see Troubleshoot the Remote
Desktop client
To learn more about the service, see Azure Virtual Desktop environment.
To learn about auditing actions, see Audit operations with Resource Manager.
To learn about actions to determine the errors during deployment, see View
deployment operations.
Troubleshoot common Azure Virtual
Desktop Agent issues
Article • 08/21/2024

The Azure Virtual Desktop Agent can cause connection issues because of multiple factors:

An error on the broker that makes the agent stop the service.
Problems with updates.
Issues with installing during the agent installation, which disrupts connection to the session
host.

This article guides you through solutions to these common scenarios and how to address
connection issues.

７ Note

For troubleshooting issues related to session connectivity and the Azure Virtual Desktop
agent, we recommend you review the event logs on your session host virtual machines (VMs)
by going to Event Viewer > Windows Logs > Application. Look for events that have one of
the following sources to identify your issue:

WVD-Agent
WVD-Agent-Updater
RDAgentBootLoader
MsiInstaller

Error: The RDAgentBootLoader and/or Remote

Desktop Agent Loader has stopped running
If you're seeing any of the following issues, it means that the boot loader, which loads the agent,
was unable to install the agent properly and the agent service isn't running on your session host
VM:

RDAgentBootLoader is either stopped or not running.

There's no status for Remote Desktop Agent Loader.

To resolve this issue, start the RDAgent boot loader:

1. In the Services window, right-click Remote Desktop Agent Loader.

2. Select Start. If this option is greyed out for you, you don't have administrator permissions.
You need to get those permissions in order to start the service.

3. Wait 10 seconds, then right-click Remote Desktop Agent Loader.

 4. Select Refresh.

5. If the service stops after you started and refreshed it, you may have a registration failure. For
more information, see INVALID_REGISTRATION_TOKEN or EXPIRED_MACHINE_TOKEN.

Error: INVALID_REGISTRATION_TOKEN or
EXPIRED_MACHINE_TOKEN
On your session host VM, go to Event Viewer > Windows Logs > Application. If you see an event
with ID 3277 with the description INVALID_REGISTRATION_TOKEN or EXPIRED_MACHINE_TOKEN , the
registration key that has been used isn't recognized as valid.

To resolve this issue:

1. Create a new registration key by following the steps in Generate a registration key.

2. Open a PowerShell prompt as an administrator and run the following commands to add the
new registration key to the registry. Replace <RegistrationToken> with the new registration
token you generated.

PowerShell

$newKey = '<RegistrationToken>'

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\RDInfraAgent" -Name

"IsRegistered" -Value 0 -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\RDInfraAgent" -Name
"RegistrationToken" -Value $newKey -Force

3. Next, run the following command to restart the RDAgentBootLoader service:

PowerShell

Restart-Service RDAgentBootLoader

4. Run the following commands to verify that IsRegistered is set to 1 and RegistrationToken is
blank.

PowerShell

Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\RDInfraAgent" -Name IsRegistered

| FL IsRegistered
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\RDInfraAgent" -Name
RegistrationToken | FL RegistrationToken

The output should be similar to the following output:

Output
 IsRegistered : 1

RegistrationToken :

5. Check your session host is no available in the host pool. If it isn't, view the Event Viewer
entries and see if there are any errors that are preventing the agent from starting.

Error: Agent cannot connect to broker with

INVALID_FORM
On your session host VM, go to Event Viewer > Windows Logs > Application. If you see an event
with ID 3277 with INVALID_FORM in the description, the agent can't connect to the broker or
reach a particular endpoint. This issue may be because of certain firewall or DNS settings.

To resolve this issue, check that you can reach the two endpoints referred to as
BrokerResourceIdURI and BrokerResourceIdURIGlobal:

1. Open Registry Editor.

2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RDInfraAgent.

3. Make note of the values for BrokerResourceIdURI and BrokerResourceIdURIGlobal.

4. Open a web browser and enter your value for BrokerResourceIdURI in the address bar and
add /api/health to the end, for example https://rdbroker-g-us-
r0.wvd.microsoft.com/api/health .

5. Open another tab in the browser and enter your value for BrokerResourceIdURIGlobal in the
address bar and add /api/health to the end, for example
https://rdbroker.wvd.microsoft.com/api/health .

6. If your network isn't blocking the connection to the broker, both pages should load
successfully and show a message stating RD Broker is Healthy, as shown in the following
screenshots:
7. If the network is blocking broker connection, the pages won't load, as shown in the following
screenshot.
 You must unblock the required endpoints and then repeat steps 4 to 7. For more information,
see Required URL List.

8. If following the previous steps doesn't resolve your issue, make sure that you don't have any
group policies with ciphers that block the agent to broker connection. Azure Virtual Desktop
uses the same TLS 1.2 ciphers as Azure Front Door. For more information, see Connection
Security.

Error: 3703
On your session host VM, go to Event Viewer > Windows Logs > Application. If you see an event
with ID 3703 with RD Gateway Url: is not accessible in the description, the agent is unable to reach
the gateway URLs. To successfully connect to your session host, you must allow network traffic to
the URLs from the Required URL List. Also, make sure your firewall or proxy settings don't block
these URLs. Unblocking these URLs is required to use Azure Virtual Desktop.

To resolve this issue, verify whether you can access the required URLs by running the Required URL
Check tool. If you're using Azure Firewall, see Use Azure Firewall to protect Azure Virtual Desktop
deployments. and Azure Firewall DNS settings for more information on how to configure it for
Azure Virtual Desktop.

Error: 3019
On your session host VM, go to Event Viewer > Windows Logs > Application. If you see an event
with ID 3019, then the agent can't reach the web socket transport URLs. To successfully connect to
your session host and allow network traffic to bypass these restrictions, you must unblock the URLs
listed in the Required URL list. Work with your networking team to make sure your firewall, proxy,
and DNS settings aren't blocking these URLs. You can also check your network trace logs to
identify where the Azure Virtual Desktop service is being blocked. If you open a Microsoft Support
case for this particular issue, make sure to attach your network trace logs to the request.
Error: InstallationHealthCheckFailedException
On your session host VM, go to Event Viewer > Windows Logs > Application. If you see an event
with ID 3277 with InstallationHealthCheckFailedException in the description, then the stack
listener isn't working because the terminal server has toggled the registry key for the stack listener.

To resolve this issue:

1. Check to see if the stack listener is working

2. If the stack listener isn't working, manually uninstall and reinstall the stack component.

Error: ENDPOINT_NOT_FOUND
On your session host VM, go to Event Viewer > Windows Logs > Application. If you see an event
with ID 3277 with ENDPOINT_NOT_FOUND in the description, then the broker couldn't find an
endpoint to establish a connection with. This connection issue can happen for one of the following
reasons:

There aren't any session host VMs in your host pool.

The session host VMs in your host pool aren't active.
All session host VMs in your host pool have exceeded the max session limit.
None of the VMs in your host pool have the agent service running on them.

To resolve this issue:

1. Make sure the VM is powered on and hasn't been removed from the host pool.

2. Make sure that the VM hasn't exceeded the max session limit.

3. Make sure the agent service is running and the stack listener is working.

4. Make sure the agent can connect to the broker.

5. Make sure your VM has a valid registration token.

6. Make sure the VM registration token hasn't expired.

Error: InstallMsiException
On your session host VM, go to Event Viewer > Windows Logs > Application. If you see an event
with ID 3277 with InstallMsiException in the description, the installer is already running for another
application while you're trying to install the agent, or group policy is blocking msiexec.exe from
running.

To check whether group policy is blocking msiexec.exe from running:

1. Open Resultant Set of Policy by running rsop.msc from an elevated command prompt.
 2. In the Resultant Set of Policy window that pops up, go to Computer Configuration >
Administrative Templates > Windows Components > Windows Installer > Turn off
Windows Installer. If the state is Enabled, work with your Active Directory team to allow
msiexec.exe to run.

７ Note

This list isn't a comprehensive list of policies, just the ones we're currently aware of.

Error: Win32Exception
On your session host VM, go to Event Viewer > Windows Logs > Application. If you see an event
with ID 3277 with InstallMsiException in the description, a policy is blocking cmd.exe from
launching. Blocking this program prevents you from running the console window, which is what
you need to use to restart the service whenever the agent updates.

1. Open Resultant Set of Policy by running rsop.msc from an elevated command prompt.

2. In the Resultant Set of Policy window that pops up, go to User Configuration >
Administrative Templates > System > Prevent access to the command prompt. If the state
is Enabled, work with your Active Directory team to allow cmd.exe to run.

Error: Stack listener isn't working on a Windows 10

2004 session host VM
On your session host VM, from a command prompt run qwinsta.exe and make note of the version
number that appears next to rdp-sxs in the SESSIONNAME column. If the STATE column for rdp-tcp
and rdp-sxs entries isn't Listen, or if rdp-tcp and rdp-sxs entries aren't listed at all, it means that
there's a stack issue. Stack updates get installed along with agent updates, but if the update was
unsuccessful, the Azure Virtual Desktop Listener won't work.

To resolve this issue:

1. Open the Registry Editor.

2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\WinStations.

3. Under WinStations you may see several folders for different stack versions, select a folder
that matches the version information you saw when running qwinsta.exe in a command
prompt.

Find fReverseConnectMode and make sure its data value is 1. Also make sure that
fEnableWinStation is set to 1.

If fReverseConnectMode isn't set to 1, select fReverseConnectMode and enter 1 in its

value field.

If fEnableWinStation isn't set to 1, select fEnableWinStation and enter 1 into its value
field.

4. Repeat the previous steps for each folder that matches the version information you saw when
running qwinsta.exe in a command prompt.

 Tip

To change the fReverseConnectMode or fEnableWinStation mode for multiple VMs at a

time, you can do one of the following two things:

Export the registry key from the machine that you already have working and import
it into all other machines that need this change.
Create a group policy object (GPO) that sets the registry key value for the machines
that need the change.

5. Restart your session host VM.

6. Open the Registry Editor.

 7. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\ClusterSettings.

8. Under ClusterSettings, find SessionDirectoryListener and make sure its data value is rdp-
sxs<version number , where <version number matches the version information you saw when

running qwinsta.exe in a command prompt .

9. If SessionDirectoryListener isn't set to rdp-sxs<version number , you'll need to follow the

steps in the section Your issue isn't listed here or wasn't resolved.

Error: DownloadMsiException
On your session host VM, go to Event Viewer > Windows Logs > Application. If you see an event
with ID 3277 with DownloadMsiException in the description, there isn't enough space on the disk
for the RDAgent.

To resolve this issue, make space on your disk by:

Deleting files that are no longer in use.

Increasing the storage capacity of your session host VM.

Error: Agent fails to update with

MissingMethodException
On your session host VM, go to Event Viewer > Windows Logs > Application. If you see an event
with ID 3389 with MissingMethodException: Method not found in the description, then the Azure
Virtual Desktop agent didn't update successfully and reverted to an earlier version. This issue may
be happening because the version number of the .NET framework currently installed on your VMs
is lower than 4.7.2. To resolve this issue, you need to upgrade the .NET to version 4.7.2 or later by
following the installation instructions in the .NET Framework documentation .

Error: Session host VMs are stuck in Upgrading

state
If the status listed for session hosts in your host pool always says Unavailable or Upgrading, the
agent or stack didn't install successfully.

To resolve this issue, first reinstall the side-by-side stack:

1. Sign in to your session host VM as an administrator.

2. From an elevated PowerShell prompt run qwinsta.exe and make note of the version number
that appears next to rdp-sxs in the SESSIONNAME column. If the STATE column for rdp-tcp
and rdp-sxs entries isn't Listen, or if rdp-tcp and rdp-sxs entries aren't listed at all, it means
that there's a stack issue.
 3. Run the following command to stop the RDAgentBootLoader service:

PowerShell

Stop-Service RDAgentBootLoader

4. Go to Control Panel > Programs > Programs and Features, or on Windows 11 go to the
Settings App > Apps.

5. Uninstall the latest version of the Remote Desktop Services SxS Network Stack or the version
listed in Registry Editor in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations
under the value for ReverseConnectionListener.

6. Back at the PowerShell prompt, run the following commands to add the file path of the latest
installer available on your session host VM for the side-by-side stack to a variable and list its
name:

PowerShell

$sxsMsi = (Get-ChildItem "$env:SystemDrive\Program Files\Microsoft RDInfra\" | ?

Name -like SxSStack*.msi | Sort-Object CreationTime -Descending | Select-Object -
First 1).FullName
$sxsMsi

7. Install the latest installer available on your session host VM for the side-by-side stack by
running the following command:

PowerShell

msiexec /i $sxsMsi

8. Restart your session host VM.

9. From a command prompt run qwinsta.exe again and verify the STATE column for rdp-tcp
and rdp-sxs entries is Listen. If not, you must re-register your VM and reinstall the agent
component.

Error: Session hosts are stuck in Unavailable state

If your session host VMs are stuck in the Unavailable state, your VM didn't pass one of the health
checks listed in Health check. You must resolve the issue that's causing the VM to not pass the
health check.

Error: Session hosts are stuck in the Needs

Assistance state
There are several health checks that can cause your session host VMs to be stuck in the Needs
Assistance state, UrlsAccessibleCheck. MetaDataServiceCheck, and MonitoringAgentCheck.

UrlsAccessibleCheck
If the session host doesn't pass the UrlsAccessibleCheck health check, you'll need to identify which
required URL your deployment is currently blocking. Once you know which URL is blocked, identify
which setting is blocking that URL and remove it.

There are two reasons why the service is blocking a required URL:

You have an active firewall that's blocking most outbound traffic and access to the required
URLs.
Your local hosts file is blocking the required websites.

To resolve a firewall-related issue, add a rule that allows outbound connections to the TCP port
80/443 associated with the blocked URLs.

If your local hosts file is blocking the required URLs, make sure none of the required URLs are in
the Hosts file on your device. You can find the Hosts file location at the following registry key and
value:

Key: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Type: REG_EXPAND_SZ

Name: DataBasePath

MetaDataServiceCheck
If the session host doesn't pass the MetaDataServiceCheck health check, then the service can't
access the IMDS endpoint. To resolve this issue, you'll need to do the following things:

Reconfigure your networking, firewall, or proxy settings to unblock the IP address

169.254.169.254.
Make sure your HTTP clients bypass web proxies within the VM when querying IMDS. We
recommend that you allow the required IP address in any firewall policies within the VM that
deal with outbound network traffic direction.

If your issue is caused by a web proxy, add an exception for 169.254.169.254 in the web proxy's
configuration. To add this exception, open an elevated Command Prompt or PowerShell session
and run the following command:

Windows Command Prompt

netsh winhttp set proxy proxy-server="http=<customerwebproxyhere>" bypass-

list="169.254.169.254"
MonitoringAgentCheck
If the session host doesn't pass the MonitoringAgentCheck health check, you'll need to check the
Remote Desktop Services Infrastructure Geneva Agent and validate if it is functioning correctly on
the session host:

1. Verify if the Remote Desktop Services Infrastructure Geneva Agent is installed on the session
host. You can verify this in the list of installed programs on the session host. If you see
multiple versions of this agent installed, uninstall older versions and only keep the latest
version installed.

2. If you don't find the Remote Desktop Services Infrastructure Geneva Agent installed on the
session host, please review logs located under C:\Program Files\Microsoft
RDInfra\GenevaInstall.txt and see if installation is failing due to an error.

3. Verify if scheduled task GenevaTask_<version> is created. This scheduled task must be

enabled and running. If it's not, please reinstall the agent using the .msi file named
Microsoft.RDInfra.Geneva.Installer-x64-<version>.msi, which is available at C:\Program
Files\Microsoft RDInfra.

Error: Connection not found: RDAgent does not

have an active connection to the broker
Your session host VMs may be at their connection limit and can't accept new connections.

To resolve this issue, either:

Decrease the max session limit. This change ensures that resources are more evenly
distributed across session hosts and prevent resource depletion.
Increase the resource capacity of the session host VMs.

Error: Operating a Pro VM or other unsupported

OS
The side-by-side stack is only supported by Windows Enterprise or Windows Server SKUs, which
means that operating systems like Pro VM aren't. If you don't have an Enterprise or Server SKU, the
stack installs on your VM but isn't activated, so it won't appear when you run qwinsta in your
command line.

To resolve this issue, create session host VMs using a supported operating system.

Error: NAME_ALREADY_REGISTERED
The name of your session host VM has already been registered and is probably a duplicate.
To resolve this issue:

1. Follow the steps in the Remove the session host from the host pool section.

2. Create another VM. Make sure to choose a unique name for this VM.

3. Go to the Azure portal and open the Overview page for the host pool your VM was in.

4. Open the Session Hosts tab and check to make sure all session hosts are in that host pool.

5. Wait for 5-10 minutes for the session host status to say Available.

Your issue isn't listed here or wasn't resolved

If you can't find your issue in this article or the instructions didn't help you, we recommend you
uninstall, reinstall, and re-register the Azure Virtual Desktop Agent. The instructions in this section
show you how to reregister your session host VM to the Azure Virtual Desktop service by:

1. Uninstalling all agent, boot loader, and stack components.

2. Removing the session host from the host pool.

3. Generating a new registration key for the VM.

4. Reinstalling the Azure Virtual Desktop Agent and boot loader.

Follow these instructions in this section if one or more of the following scenarios apply to you:

The state of your session host VM is stuck as Upgrading or Unavailable.

Your stack listener isn't working and you're running on Windows 10 version 1809, 1903, or
1909.
You're receiving an EXPIRED_REGISTRATION_TOKEN error.
You're not seeing your session host VMs show up in the session hosts list.
You don't see the Remote Desktop Agent Loader service in the Services console.
You don't see the RdAgentBootLoader component as a running process in Task Manager.
You're receiving a Connection Broker couldn't validate the settings error on custom image
VMs.
Previous sections in this article didn't resolve your issue.

Step 1: Uninstall all agent, boot loader, and stack component

programs
Before reinstalling the agent, boot loader, and stack, you must uninstall any existing components
from your VM. To uninstall all agent, boot loader, and stack component programs:

1. Sign in to your session host VM as an administrator.

2. Go to Control Panel > Programs > Programs and Features, or on Windows 11 go to the
Settings App > Apps.

3. Uninstall the following programs, then restart your session host VM:

Ｕ Caution

When uninstalling Remote Desktop Services SxS Network Stack, you'll be prompted
that Remote Desktop Services and Remote Desktop Services UserMode Port Redirector
should be closed. If you're connected to the session host VM using RDP, select Do not
close applications then select OK, otherwise your RDP connection won't work.

Remote Desktop Agent Boot Loader

Remote Desktop Services Infrastructure Agent
Remote Desktop Services Infrastructure Geneva Agent
Remote Desktop Services SxS Network Stack

７ Note

You may see multiple instances of these programs. Make sure to remove all of them.
Step 2: Remove the session host from the host pool
When you remove the session host from the host pool, the session host is no longer registered to
that host pool. This change acts as a reset for the session host registration. To remove the session
host from the host pool:

1. Sign in to the Azure portal .

2. In the search bar, type Azure Virtual Desktop and select the matching service entry.

3. Select Host pools and select the name of the host pool that your session host VM is in.

4. Select Session Hosts to see the list of all session hosts in that host pool.

5. Look at the list of session hosts and tick the box next to the session host that you want to
remove.

6. Select Remove.

Step 3: Generate a new registration key for the VM

You must generate a new registration key that is used to re-register your session VM to the host
pool and to the service. To generate a new registration key for the VM:

1. Sign in to the Azure portal .

2. In the search bar, type Azure Virtual Desktop and select the matching service entry.

3. Select Host pools and select the name of the host pool that your session host VM is in.

4. On the Overview blade, select Registration key.

 5. Open the Registration key tab and select Generate new key.

6. Enter the expiration date and then select Ok.

７ Note

The expiration date can be no less than an hour and no longer than 27 days from its
generation time and date. Generate a registration key only for as long as you need.

1. Copy the newly generated key to your clipboard or download the file. You'll need this key
later.

Step 4: Reinstall the agent and boot loader

Reinstalling the latest version of the agent and boot loader also automatically installs the side-by-
side stack and Geneva monitoring agent. To reinstall the agent and boot loader, follow these steps.
This is the latest downloadable version of the Azure Virtual Desktop Agent in non-validation
environments. For more information about the rollout of new versions of the agent, see What's
new in the Azure Virtual Desktop Agent.

1. Sign in to your session host VM as an administrator and run the agent installer and
bootloader for your session host VM:

Azure Virtual Desktop Agent

Azure Virtual Desktop Agent Bootloader

 Tip

For each of the the agent and boot loader installers you downloaded, you may need to
unblock them. Right-click each file and select Properties, then select Unblock, and finally
select OK.

2. When the installer asks you for the registration token, paste the registration key from your
clipboard.
 3. Run the boot loader installer.

4. Restart your session VM.

5. Sign in to the Azure portal .

6. In the search bar, enter Azure Virtual Desktop and select the matching service entry.

7. Select Host pools and select the name of the host pool that your session host VM is in.

8. Select Session Hosts to see the list of all session hosts in that host pool.

9. You should now see the session host registered in the host pool with the status Available.

Remove DisableRegistryTools registry key

If you've performed all four steps but the agent still doesn't work, that may be because the
DisableRegistryTools registry key is enabled in one of the following locations:

HKU:\DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
=1
HKU:\S-1-5-
18\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = 1
HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
=1

This registry key prevents the agent from installing the side-by-side stack, which results in an
installMSIException error. This error leads to the session hosts being stuck in an unavailable state.

To resolve this issue, you'll need to remove the key:

1. Remove the DisableRegistryTools key from the three previously listed locations.

2. Uninstall and remove the affected side-by-side stack installation from the Apps & Features
folder.
 3. Remove the affected side-by-side stack's registry keys.

4. Restart your VM.

5. Start the agent and let it auto-install the side-by-side stack.

Next steps
If the issue continues, create a support case and include detailed information about the problem
you're having and any actions you've taken to try to resolve it. The following list includes other
resources you can use to troubleshoot issues in your Azure Virtual Desktop deployment.

For an overview on troubleshooting Azure Virtual Desktop and the escalation tracks, see
Troubleshooting overview, feedback, and support.
To troubleshoot issues while creating a host pool in an Azure Virtual Desktop environment,
see Environment and host pool creation.
To troubleshoot issues while configuring a virtual machine (VM) in Azure Virtual Desktop, see
Session host virtual machine configuration.
To troubleshoot issues with Azure Virtual Desktop client connections, see Azure Virtual
Desktop service connections.
To troubleshoot issues when using PowerShell with Azure Virtual Desktop, see Azure Virtual
Desktop PowerShell.
To learn more about the service, see Azure Virtual Desktop environment.
To go through a troubleshoot tutorial, see Tutorial: Troubleshoot Resource Manager template
deployments.
To learn about auditing actions, see Audit operations with Resource Manager.
To learn about actions to determine the errors during deployment, see View deployment
operations.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Azure Virtual Desktop service
connections
Article • 10/12/2023

） Important

This content applies to Azure Virtual Desktop with Azure Resource Manager Azure
Virtual Desktop objects. If you're using Azure Virtual Desktop (classic) without
Azure Resource Manager objects, see this article.

Use this article to resolve issues with Azure Virtual Desktop client connections.

Provide feedback
You can give us feedback and discuss the Azure Virtual Desktop Service with the product
team and other active community members at the Azure Virtual Desktop Tech
Community .

User connects but nothing is displayed (no

feed)
A user can start Remote Desktop clients and is able to authenticate, however the user
doesn't see any icons in the web discovery feed.

1. Confirm that the user reporting the issues has been assigned to application groups
by using this command line:

PowerShell

Get-AzRoleAssignment -SignInName <userupn>

2. Confirm that the user is signing in with the correct credentials.

3. If the web client is being used, confirm that there are no cached credentials issues.

4. If the user is part of a Microsoft Entra user group, make sure the user group is a
security group instead of a distribution group. Azure Virtual Desktop doesn't
support Microsoft Entra distribution groups.
User loses existing feed and no remote
resource is displayed (no feed)
This error usually appears after a user moved their subscription from one Microsoft
Entra tenant to another. As a result, the service loses track of their user assignments,
since those are still tied to the old Microsoft Entra tenant.

To resolve this, all you need to do is reassign the users to their application groups.

This could also happen if a CSP Provider created the subscription and then transferred
to the customer. To resolve this re-register the Resource Provider.

1. Sign in to the Azure portal.

2. Go to Subscription, then select your subscription.
3. In the menu on the left side of the page, select Resource provider.
4. Find and select Microsoft.DesktopVirtualization, then select Re-register.

Next steps
For an overview on troubleshooting Azure Virtual Desktop and the escalation
tracks, see Troubleshooting overview, feedback, and support.
To troubleshoot issues while creating a Azure Virtual Desktop environment and
host pool in a Azure Virtual Desktop environment, see Environment and host pool
creation.
To troubleshoot issues while configuring a virtual machine (VM) in Azure Virtual
Desktop, see Session host virtual machine configuration.
To troubleshoot issues related to the Azure Virtual Desktop agent or session
connectivity, see Troubleshoot common Azure Virtual Desktop Agent issues.
To troubleshoot issues when using PowerShell with Azure Virtual Desktop, see
Azure Virtual Desktop PowerShell.
To go through a troubleshoot tutorial, see Tutorial: Troubleshoot Resource
Manager template deployments.
Basic troubleshooting for the Remote
Desktop client for Windows
Article • 09/27/2024

 Tip

Select a button at the top of this article to choose which product you're connecting
to and see the relevant documentation.

This article provides some simple troubleshooting steps to try first for issues you might
encounter when using the Remote Desktop client for Windows to connect to Azure
Virtual Desktop.

Basic troubleshooting
There are a few basic troubleshooting steps you can try if you're having issues
connecting to your desktops or applications:

1. Make sure you're connected to the internet.

2. Try to connect to your desktops or applications from the Azure Virtual Desktop
web client. For more information, see Connect to Azure Virtual Desktop with the
Remote Desktop web client.

3. Make sure you're using the latest version of the Remote Desktop client. By default,
the client automatically updates when a new version is available. To check for
updates manually, see Update the client.

4. If the connection fails frequently or you notice performance issues, check the
status of the connection. You can find connection information in the connection
bar, by selecting the signal icon:
Reset password
Password resets can't be done in the product. You should follow your organization's
process to reset your password.

Client stops responding or can't be opened

If the client stops responding or can't be opened, you might need to reset user data. If
you can open the client, you can reset user data from the About menu. The default
settings for the client will be restored and you'll be unsubscribed from all workspaces.

To reset user data from the client:

1. Open the Remote Desktop app on your device.

2. Select the three dots at the top right-hand corner to show the menu, then select
About.

3. In the section Reset user data, select Reset. To confirm you want to reset your user
data, select Continue.
Issue isn't listed here
If your issue isn't listed here, ask your Azure Virtual Desktop administrator for support,
or see Troubleshoot the Remote Desktop client for Windows when connecting to Azure
Virtual Desktop for further troubleshooting steps.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Troubleshoot the Remote Desktop client
for Windows when connecting to Azure
Virtual Desktop
Article • 04/18/2023

This article describes issues you may experience with the Remote Desktop client for
Windows when connecting to Azure Virtual Desktop and how to fix them.

General
In this section you'll find troubleshooting guidance for general issues with the Remote
Desktop client.

You don't see the expected resources

If you don't see the remote resources you're expecting to see in the app, check the
account you're using. If you've already signed in with a different account than the one
you want to use for Azure Virtual Desktop, you should first sign out, then sign in again
with the correct account. If you're using the Remote Desktop Web client, you can use an
InPrivate browser window to try a different account.

If you're using the correct account, make sure your application group is associated with
a workspace.

Your account is configured to prevent you from using this

device
If you come across an error saying Your account is configured to prevent you from
using this device. For more information, contact your system administrator, ensure the
user account was given the Virtual Machine User Login role on the VMs.

The user name or password is incorrect

If you can't sign in and keep receiving an error message that says your credentials are
incorrect, first make sure you're using the right credentials. If you keep seeing error
messages, check to make sure you've fulfilled the following requirements:
 Have you assigned the Virtual Machine User Login role-based access control
(RBAC) permission to the virtual machine (VM) or resource group for each user?
Does your Conditional Access policy exclude multi-factor authentication
requirements for the Azure Windows VM sign-in cloud application?

If you've answered "no" to either of those questions, you'll need to reconfigure your
multi-factor authentication. To reconfigure your multi-factor authentication, follow the
instructions in Enforce Azure Active Directory Multi-Factor Authentication for Azure
Virtual Desktop using Conditional Access.

） Important

VM sign-ins don't support per-user enabled or enforced Azure AD Multi-Factor

Authentication. If you try to sign in with multi-factor authentication on a VM, you
won't be able to sign in and will receive an error message.

If you can access your Azure AD sign-in logs through Log Analytics, you can see if
you've enabled multi-factor authentication and which Conditional Access policy is
triggering the event. The events shown are non-interactive user login events for the VM,
which means the IP address will appear to come from the external IP address that your
VM accesses Azure AD from.

You can access your sign-in logs by running the following Kusto query:

Kusto

let UPN = "userupn";

AADNonInteractiveUserSignInLogs
| where UserPrincipalName == UPN
| where AppId == "38aa3b87-a06d-4817-b275-7a316988d93b"
| project ['Time']=(TimeGenerated), UserPrincipalName,
AuthenticationRequirement, ['MFA Result']=ResultDescription, Status,
ConditionalAccessPolicies, DeviceDetail, ['Virtual Machine IP']=IPAddress,
['Cloud App']=ResourceDisplayName
| order by ['Time'] desc

Retrieve and open client logs

You might need the client logs when investigating a problem.

To retrieve the client logs:

1. Ensure no sessions are active and the client process isn't running in the
background by right-clicking on the Remote Desktop icon in the system tray and
 selecting Disconnect all sessions.
2. Open File Explorer.
3. Navigate to the %temp%\DiagOutputDir\RdClientAutoTrace folder.

The logs are in the .ETL file format. You can convert these to .CSV or .XML to make them
easily readable by using the tracerpt command. Find the name of the file you want to
convert and make a note of it.

To convert the .ETL file to .CSV, open PowerShell and run the following, replacing
the value for $filename with the name of the file you want to convert (without the
extension) and $outputFolder with the directory in which to create the .CSV file.

PowerShell

$filename = "<filename>"
$outputFolder = "C:\Temp"
cd $env:TEMP\DiagOutputDir\RdClientAutoTrace
tracerpt "$filename.etl" -o "$outputFolder\$filename.csv" -of csv

To convert the .ETL file to .XML, open Command Prompt or PowerShell and run the
following, replacing <filename> with the name of the file you want to convert and
$outputFolder with the directory in which to create the .XML file.

PowerShell

$filename = "<filename>"
$outputFolder = "C:\Temp"
cd $env:TEMP\DiagOutputDir\RdClientAutoTrace
tracerpt "$filename.etl" -o "$outputFolder\$filename.xml"

Client stops responding or can't be opened

If the Remote Desktop client for Windows or Azure Virtual Desktop Store app for
Windows stops responding or can't be opened, you may need to reset user data. If you
can open the client, you can reset user data from the About menu, or if you can't open
the client, you can reset user data from the command line. The default settings for the
client will be restored and you'll be unsubscribed from all workspaces.

To reset user data from the client:

1. Open the Remote Desktop app on your device.

2. Select the three dots at the top right-hand corner to show the menu, then select
About.
 3. In the section Reset user data, select Reset. To confirm you want to reset your user
data, select Continue.

To reset user data from the command line:

1. Open PowerShell.

2. Change the directory to where the Remote Desktop client is installed, by default
this is C:\Program Files\Remote Desktop .

3. Run the following command to reset user data. You'll be prompted to confirm you
want to reset your user data.

PowerShell

.\msrdcw.exe /reset

You can also add the /f option, where your user data will be reset without
confirmation:

PowerShell

.\msrdcw.exe /reset /f

Your administrator may have ended your session

You see the error message Your administrator may have ended your session. Try
connecting again. If this does not work, ask your administrator or technical support
for help, when the policy setting Allow users to connect remotely using Remote
Desktop Services has been set to disabled.

To configure the policy to enable users to connect again depending on whether your
session hosts are managed with Group Policy or Intune.

For Group Policy:

1. Open the Group Policy Management Console (GPMC) for session hosts managed
with Active Directory or the Local Group Policy Editor console and edit the policy
that targets your session hosts.

2. Browse to Computer Configuration > Administrative Templates > Windows

Components > Remote Desktop Services > Remote Desktop Session Host >
Connections
 3. Set the policy setting Allow users to connect remotely using Remote Desktop
Services to Enabled.

For Intune:

1. Open the Settings catalog.

2. Browse to Computer Configuration > Administrative Templates > Windows

Components > Remote Desktop Services > Remote Desktop Session Host >
Connections

3. Set the policy setting Allow users to connect remotely using Remote Desktop
Services to Enabled.

Authentication and identity

In this section you'll find troubleshooting guidance for authentication and identity issues
with the Remote Desktop client.

The logon attempt failed

If you come across an error saying The logon attempt failed on the Windows Security
credential prompt, verify the following:

You're using a device that is Azure AD-joined or hybrid Azure AD-joined to the
same Azure AD tenant as the session host.
The PKU2U protocol is enabled on both the local PC and the session host.
Per-user multi-factor authentication is disabled for the user account as it's not
supported for Azure AD-joined VMs.

The sign-in method you're trying to use isn't allowed

If you come across an error saying The sign-in method you're trying to use isn't
allowed. Try a different sign-in method or contact your system administrator, you
have Conditional Access policies restricting access. Follow the instructions in Enforce
Azure Active Directory Multi-Factor Authentication for Azure Virtual Desktop using
Conditional Access to enforce Azure Active Directory Multi-Factor Authentication for
your Azure AD-joined VMs.

A specified logon session does not exist. It may already

have been terminated.
If you come across an error that says, An authentication error occurred. A specified
logon session does not exist. It may already have been terminated, verify that you
properly created and configured the Kerberos server object when configuring single
sign-on.

Authentication issues while using an N SKU of Windows

Authentication issues can happen because you're using an N SKU of Windows on your
local device without the Media Feature Pack. For more information and to learn how to
install the Media Feature Pack, see Media Feature Pack list for Windows N editions .

Authentication issues when TLS 1.2 not enabled

Authentication issues can happen when your local Windows device doesn't have TLS 1.2
enabled. To enable TLS 1.2, you need to set the following registry values:

Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
\Protocols\TLS 1.2\Client

Value Name Type Value Data

DisabledByDefault DWORD 0

Enabled DWORD 1

Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

\Protocols\TLS 1.2\Server

Value Name Type Value Data

DisabledByDefault DWORD 0

Enabled DWORD 1

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319

Value Name Type Value Data

SystemDefaultTlsVersions DWORD 1

SchUseStrongCrypto DWORD 1
You can configure these registry values by opening PowerShell as an administrator and
running the following commands:

PowerShell

New-Item
'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
\TLS 1.2\Server' -Force
New-ItemProperty -Path
'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
\TLS 1.2\Server' -Name 'Enabled' -Value '1' -PropertyType 'DWORD' -Force
New-ItemProperty -Path
'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
\TLS 1.2\Server' -Name 'DisabledByDefault' -Value '0' -PropertyType 'DWORD'
-Force

New-Item
'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
\TLS 1.2\Client' -Force
New-ItemProperty -Path
'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
\TLS 1.2\Client' -Name 'Enabled' -Value '1' -PropertyType 'DWORD' -Force
New-ItemProperty -Path
'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
\TLS 1.2\Client' -Name 'DisabledByDefault' -Value '0' -PropertyType 'DWORD'
-Force

New-Item 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Force

New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -
Name 'SystemDefaultTlsVersions' -Value '1' -PropertyType 'DWORD' -Force
New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -
Name 'SchUseStrongCrypto' -Value '1' -PropertyType 'DWORD' -Force

Issue isn't listed here

If your issue isn't listed here, see Troubleshooting overview, feedback, and support for
Azure Virtual Desktop for information about how to open an Azure support case for
Azure Virtual Desktop.
Troubleshoot the Azure Virtual Desktop
Store app for Windows
Article • 04/19/2023

This article describes issues you may experience with the Azure Virtual Desktop Store
app for Windows when connecting to Azure Virtual Desktop and how to fix them.

Azure Virtual Desktop Store app is not

updating
The Azure Virtual Desktop Store app is downloaded and automatically updated
through the Microsoft Store. It relies on the dependency app Azure Virtual Desktop
(HostApp), which is also automatically downloaded and updated. For more information,
see Azure Virtual Desktop (HostApp).

You can go to the Microsoft Store to check for updates , or you can also manually
search for new updates from the app. For more information, see Update the Azure
Virtual Desktop app.

General
In this section you'll find troubleshooting guidance for general issues with the Azure
Virtual Desktop app.

You don't see the expected resources

If you don't see the remote resources you're expecting to see in the app, check the
account you're using. If you've already signed in with a different account than the one
you want to use for Azure Virtual Desktop, you should first sign out, then sign in again
with the correct account. If you're using the Remote Desktop Web client, you can use an
InPrivate browser window to try a different account.

If you're using the correct account, make sure your application group is associated with
a workspace.

Your account is configured to prevent you from using this

device
If you come across an error saying Your account is configured to prevent you from
using this device. For more information, contact your system administrator, ensure the
user account was given the Virtual Machine User Login role on the VMs.

The user name or password is incorrect

If you can't sign in and keep receiving an error message that says your credentials are
incorrect, first make sure you're using the right credentials. If you keep seeing error
messages, check to make sure you've fulfilled the following requirements:

Have you assigned the Virtual Machine User Login role-based access control
(RBAC) permission to the virtual machine (VM) or resource group for each user?
Does your Conditional Access policy exclude multi-factor authentication
requirements for the Azure Windows VM sign-in cloud application?

If you've answered "no" to either of those questions, you'll need to reconfigure your
multi-factor authentication. To reconfigure your multi-factor authentication, follow the
instructions in Enforce Azure Active Directory Multi-Factor Authentication for Azure
Virtual Desktop using Conditional Access.

） Important

VM sign-ins don't support per-user enabled or enforced Azure AD Multi-Factor

Authentication. If you try to sign in with multi-factor authentication on a VM, you
won't be able to sign in and will receive an error message.

If you can access your Azure AD sign-in logs through Log Analytics, you can see if
you've enabled multi-factor authentication and which Conditional Access policy is
triggering the event. The events shown are non-interactive user login events for the VM,
which means the IP address will appear to come from the external IP address that your
VM accesses Azure AD from.

You can access your sign-in logs by running the following Kusto query:

Kusto

let UPN = "userupn";

AADNonInteractiveUserSignInLogs
| where UserPrincipalName == UPN
| where AppId == "38aa3b87-a06d-4817-b275-7a316988d93b"
| project ['Time']=(TimeGenerated), UserPrincipalName,
AuthenticationRequirement, ['MFA Result']=ResultDescription, Status,
ConditionalAccessPolicies, DeviceDetail, ['Virtual Machine IP']=IPAddress,
 ['Cloud App']=ResourceDisplayName
| order by ['Time'] desc

Retrieve and open client logs

You might need the client logs when investigating a problem.

To retrieve the client logs:

1. Ensure no sessions are active and the client process isn't running in the
background by right-clicking on the Remote Desktop icon in the system tray and
selecting Disconnect all sessions.
2. Open File Explorer.
3. Navigate to the %temp%\DiagOutputDir\RdClientAutoTrace folder.

The logs are in the .ETL file format. You can convert these to .CSV or .XML to make them
easily readable by using the tracerpt command. Find the name of the file you want to
convert and make a note of it.

To convert the .ETL file to .CSV, open PowerShell and run the following, replacing
the value for $filename with the name of the file you want to convert (without the
extension) and $outputFolder with the directory in which to create the .CSV file.

PowerShell

$filename = "<filename>"
$outputFolder = "C:\Temp"
cd $env:TEMP\DiagOutputDir\RdClientAutoTrace
tracerpt "$filename.etl" -o "$outputFolder\$filename.csv" -of csv

To convert the .ETL file to .XML, open Command Prompt or PowerShell and run the
following, replacing <filename> with the name of the file you want to convert and
$outputFolder with the directory in which to create the .XML file.

PowerShell

$filename = "<filename>"
$outputFolder = "C:\Temp"
cd $env:TEMP\DiagOutputDir\RdClientAutoTrace
tracerpt "$filename.etl" -o "$outputFolder\$filename.xml"

Client stops responding or can't be opened

If the Remote Desktop client for Windows or Azure Virtual Desktop Store app for
Windows stops responding or can't be opened, you may need to reset user data. If you
can open the client, you can reset user data from the About menu, or if you can't open
the client, you can reset user data from the command line. The default settings for the
client will be restored and you'll be unsubscribed from all workspaces.

To reset user data from the client:

1. Open the Remote Desktop app on your device.

2. Select the three dots at the top right-hand corner to show the menu, then select
About.

3. In the section Reset user data, select Reset. To confirm you want to reset your user
data, select Continue.

To reset user data from the command line:

1. Open PowerShell.

2. Change the directory to where the Remote Desktop client is installed, by default
this is C:\Program Files\Remote Desktop .

3. Run the following command to reset user data. You'll be prompted to confirm you
want to reset your user data.

PowerShell

.\msrdcw.exe /reset

You can also add the /f option, where your user data will be reset without
confirmation:

PowerShell

.\msrdcw.exe /reset /f

Your administrator may have ended your session

You see the error message Your administrator may have ended your session. Try
connecting again. If this does not work, ask your administrator or technical support
for help, when the policy setting Allow users to connect remotely using Remote
Desktop Services has been set to disabled.
To configure the policy to enable users to connect again depending on whether your
session hosts are managed with Group Policy or Intune.

For Group Policy:

1. Open the Group Policy Management Console (GPMC) for session hosts managed
with Active Directory or the Local Group Policy Editor console and edit the policy
that targets your session hosts.

2. Browse to Computer Configuration > Administrative Templates > Windows

Components > Remote Desktop Services > Remote Desktop Session Host >
Connections

3. Set the policy setting Allow users to connect remotely using Remote Desktop
Services to Enabled.

For Intune:

1. Open the Settings catalog.

2. Browse to Computer Configuration > Administrative Templates > Windows

Components > Remote Desktop Services > Remote Desktop Session Host >
Connections

3. Set the policy setting Allow users to connect remotely using Remote Desktop
Services to Enabled.

Authentication and identity

In this section you'll find troubleshooting guidance for authentication and identity issues
with the Remote Desktop client.

The logon attempt failed

If you come across an error saying The logon attempt failed on the Windows Security
credential prompt, verify the following:

You're using a device that is Azure AD-joined or hybrid Azure AD-joined to the
same Azure AD tenant as the session host.
The PKU2U protocol is enabled on both the local PC and the session host.
Per-user multi-factor authentication is disabled for the user account as it's not
supported for Azure AD-joined VMs.
The sign-in method you're trying to use isn't allowed
If you come across an error saying The sign-in method you're trying to use isn't
allowed. Try a different sign-in method or contact your system administrator, you
have Conditional Access policies restricting access. Follow the instructions in Enforce
Azure Active Directory Multi-Factor Authentication for Azure Virtual Desktop using
Conditional Access to enforce Azure Active Directory Multi-Factor Authentication for
your Azure AD-joined VMs.

A specified logon session does not exist. It may already

have been terminated.
If you come across an error that says, An authentication error occurred. A specified
logon session does not exist. It may already have been terminated, verify that you
properly created and configured the Kerberos server object when configuring single
sign-on.

Authentication issues while using an N SKU of Windows

Authentication issues can happen because you're using an N SKU of Windows on your
local device without the Media Feature Pack. For more information and to learn how to
install the Media Feature Pack, see Media Feature Pack list for Windows N editions .

Authentication issues when TLS 1.2 not enabled

Authentication issues can happen when your local Windows device doesn't have TLS 1.2
enabled. To enable TLS 1.2, you need to set the following registry values:

Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
\Protocols\TLS 1.2\Client

Value Name Type Value Data

DisabledByDefault DWORD 0

Enabled DWORD 1

Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
\Protocols\TLS 1.2\Server
 Value Name Type Value Data

DisabledByDefault DWORD 0

Enabled DWORD 1

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319

Value Name Type Value Data

SystemDefaultTlsVersions DWORD 1

SchUseStrongCrypto DWORD 1

You can configure these registry values by opening PowerShell as an administrator and
running the following commands:

PowerShell

New-Item
'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
\TLS 1.2\Server' -Force
New-ItemProperty -Path
'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
\TLS 1.2\Server' -Name 'Enabled' -Value '1' -PropertyType 'DWORD' -Force
New-ItemProperty -Path
'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
\TLS 1.2\Server' -Name 'DisabledByDefault' -Value '0' -PropertyType 'DWORD'
-Force

New-Item
'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
\TLS 1.2\Client' -Force
New-ItemProperty -Path
'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
\TLS 1.2\Client' -Name 'Enabled' -Value '1' -PropertyType 'DWORD' -Force
New-ItemProperty -Path
'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
\TLS 1.2\Client' -Name 'DisabledByDefault' -Value '0' -PropertyType 'DWORD'
-Force

New-Item 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Force

New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -
Name 'SystemDefaultTlsVersions' -Value '1' -PropertyType 'DWORD' -Force
New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -
Name 'SchUseStrongCrypto' -Value '1' -PropertyType 'DWORD' -Force

Issue isn't listed here

If your issue isn't listed here, see Troubleshooting overview, feedback, and support for
Azure Virtual Desktop for information about how to open an Azure support case for
Azure Virtual Desktop.
Troubleshoot the Remote Desktop Web
client when connecting to Azure Virtual
Desktop
Article • 08/07/2023

This article describes issues you may experience with the Remote Desktop Web client
when connecting to Azure Virtual Desktop and how to fix them.

General
In this section you'll find troubleshooting guidance for general issues with the Remote
Desktop client.

You don't see the expected resources

If you don't see the remote resources you're expecting to see in the app, check the
account you're using. If you've already signed in with a different account than the one
you want to use for Azure Virtual Desktop, you should first sign out, then sign in again
with the correct account. If you're using the Remote Desktop Web client, you can use an
InPrivate browser window to try a different account.

If you're using the correct account, make sure your application group is associated with
a workspace.

Your account is configured to prevent you from using this

device
If you come across an error saying Your account is configured to prevent you from
using this device. For more information, contact your system administrator, ensure the
user account was given the Virtual Machine User Login role on the VMs.

The user name or password is incorrect

If you can't sign in and keep receiving an error message that says your credentials are
incorrect, first make sure you're using the right credentials. If you keep seeing error
messages, check to make sure you've fulfilled the following requirements:
 Have you assigned the Virtual Machine User Login role-based access control
(RBAC) permission to the virtual machine (VM) or resource group for each user?
Does your Conditional Access policy exclude multifactor authentication
requirements for the Azure Windows VM sign-in cloud application?

If you've answered "no" to either of those questions, you'll need to reconfigure your
multifactor authentication. To reconfigure your multifactor authentication, follow the
instructions in Enforce Microsoft Entra multifactor authentication for Azure Virtual
Desktop using Conditional Access.

） Important

VM sign-ins don't support per-user enabled or enforced Microsoft Entra multifactor

authentication. If you try to sign in with multifactor authentication on a VM, you
won't be able to sign in and will receive an error message.

If you can access your Microsoft Entra sign-in logs through Log Analytics, you can see if
you've enabled multifactor authentication and which Conditional Access policy is
triggering the event. The events shown are non-interactive user login events for the VM,
which means the IP address will appear to come from the external IP address that your
VM accesses Microsoft Entra ID from.

You can access your sign-in logs by running the following Kusto query:

Kusto

let UPN = "userupn";

AADNonInteractiveUserSignInLogs
| where UserPrincipalName == UPN
| where AppId == "38aa3b87-a06d-4817-b275-7a316988d93b"
| project ['Time']=(TimeGenerated), UserPrincipalName,
AuthenticationRequirement, ['MFA Result']=ResultDescription, Status,
ConditionalAccessPolicies, DeviceDetail, ['Virtual Machine IP']=IPAddress,
['Cloud App']=ResourceDisplayName
| order by ['Time'] desc

Web client stops responding or disconnects

If the Remote Desktop Web client stops responding or keeps disconnecting, try closing
and reopening the browser. If it continues, try connecting using another browser or a
one of the other Remote Desktop clients. You can also try clearing your browsing data.
For Microsoft Edge, see Microsoft Edge, browsing data, and privacy .
Web client out of memory
If you see the error message "Oops, we couldn't connect to 'SessionDesktop'" (where
SessionDesktop is the name of the resource you're connecting to), then the web client
has run out of memory.

To resolve this issue, you'll need to either reduce the size of the browser window so a
smaller resolution will be used, or disconnect all existing connections and try connecting
again. If you still encounter this issue after doing these things, contact your admin for
help.

Network
In this section you'll find troubleshooting guidance for network issues with the Remote
Desktop client.

Web client won't open

The URL for the Remote Desktop Web client is
https://client.wvd.microsoft.com/arm/webclient/ . If this page doesn't open, try the
following:

1. Test your internet connection by opening another website in your browser, for
example https://www.bing.com .

2. From PowerShell or Command Prompt on Windows, or Terminal on macOS, you

can test if your DNS server can resolve the fully qualified domain name (FQDN) by
running the following command:

PowerShell

nslookup client.wvd.microsoft.com

If neither of these work you most likely have a problem with your network connection.
Contact your network admin for help.

 Tip

For the URLs of other Azure environments, such as Azure US Gov and Azure
operated by 21Vianet, see Connect to Azure Virtual Desktop with the Remote
Desktop Web client.
Authentication and identity
In this section you'll find troubleshooting guidance for authentication and identity issues
with the Remote Desktop client.

Sign in failed. Please check your username and password

and try again
If you come across an error saying Oops, we couldn't connect to NAME. Sign in failed.
Please check your username and password and try again. when using the web client,
ensure that you enabled connections from other clients.

We couldn't connect to the remote PC because of a

security error
If you come across an error saying Oops, we couldn't connect to NAME. We couldn't
connect to the remote PC because of a security error. If this keeps happening, ask
your admin or tech support for help., you have Conditional Access policies restricting
access. Follow the instructions in Enforce Microsoft Entra multifactor authentication for
Azure Virtual Desktop using Conditional Access to enforce Microsoft Entra multifactor
authentication for your Microsoft Entra joined VMs.

Issue isn't listed here

If your issue isn't listed here, see Troubleshooting overview, feedback, and support for
Azure Virtual Desktop for information about how to open an Azure support case for
Azure Virtual Desktop.
Troubleshoot the Remote Desktop client
for macOS when connecting to Azure
Virtual Desktop
Article • 01/23/2024

This article describes issues you may experience with the Remote Desktop client for
macOS when connecting to Azure Virtual Desktop and how to fix them.

General
In this section you'll find troubleshooting guidance for general issues with the Remote
Desktop client.

You don't see the expected resources

If you don't see the remote resources you're expecting to see in the app, check the
account you're using. If you've already signed in with a different account than the one
you want to use for Azure Virtual Desktop, you should first sign out, then sign in again
with the correct account. If you're using the Remote Desktop Web client, you can use an
InPrivate browser window to try a different account.

If you're using the correct account, make sure your application group is associated with
a workspace.

Your account is configured to prevent you from using this

device
If you come across an error saying Your account is configured to prevent you from
using this device. For more information, contact your system administrator, ensure the
user account was given the Virtual Machine User Login role on the VMs.

The user name or password is incorrect

If you can't sign in and keep receiving an error message that says your credentials are
incorrect, first make sure you're using the right credentials. If you keep seeing error
messages, check to make sure you've fulfilled the following requirements:
 Have you assigned the Virtual Machine User Login role-based access control
(RBAC) permission to the virtual machine (VM) or resource group for each user?
Does your Conditional Access policy exclude multifactor authentication
requirements for the Azure Windows VM sign-in cloud application?

If you've answered no to either of those questions, you'll need to reconfigure your

multifactor authentication. To reconfigure your multifactor authentication, follow the
instructions in Enforce Microsoft Entra multifactor authentication for Azure Virtual
Desktop using Conditional Access.

） Important

VM sign-ins don't support per-user enabled or enforced Microsoft Entra multifactor

authentication. If you try to sign in with multifactor authentication on a VM, you
won't be able to sign in and will receive an error message.

If you have integrated Microsoft Entra logs with Azure Monitor logs to access your
Microsoft Entra sign-in logs through Log Analytics, you can see if you've enabled
multifactor authentication and which Conditional Access policy is triggering the event.
The events shown are non-interactive user login events for the VM, which means the IP
address will appear to come from the external IP address from which your VM accesses
Microsoft Entra ID.

You can access your sign-in logs by running the following Kusto query:

Kusto

let UPN = "userupn";

AADNonInteractiveUserSignInLogs
| where UserPrincipalName == UPN
| where AppId == "372140e0-b3b7-4226-8ef9-d57986796201"
| project ['Time']=(TimeGenerated), UserPrincipalName,
AuthenticationRequirement, ['MFA Result']=ResultDescription, Status,
ConditionalAccessPolicies, DeviceDetail, ['Virtual Machine IP']=IPAddress,
['Cloud App']=ResourceDisplayName
| order by ['Time'] desc

Collect logs
Here's how to collect logs from the Remote Desktop client for macOS:

1. Open Microsoft Remote Desktop and make sure there aren't any connections to
devices or apps.
 2. From the macOS menu bar, select Help, followed by Troubleshooting, then select
Logging.

3. Select a Core log level and a UI log level.

4. For When logging, write the output to, select the drop-down menu, then select
Choose Folder and choose which folder to save the logs to.

5. Select Start Logging.

6. Use the Remote Desktop client as you normally would. If you have an issue,
reproduce it.

7. Once you're finished, select Stop Logging. You can find the log file in the directory
you chose to save the logs to. You can open the files in a text editor, or provide
them to support.

Authentication and identity

In this section you'll find troubleshooting guidance for authentication and identity issues
with the Remote Desktop client.

Account switch detected

If you see the error Account switch detected, you need to refresh the Microsoft Entra
token. To refresh the Microsoft Entra token, do the following:

1. Delete any workspaces from the Remote Desktop client. For more information, see
Edit, refresh, or delete a workspace.

2. Open the Keychain Access app on your device.

3. Under Default Keychains, select login, then select All Items.

4. In the search box, enter https://www.wvd.microsoft.com .

5. Double-click to open an entry with the name accesstoken.

6. Copy the first part of the value for Account, up to the first hyphen, for example
70f0a61f.

7. Enter the value you copied into the search box.

8. Right-click and delete each entry containing this value.

 9. If you have multiple entries when searching for https://www.wvd.microsoft.com ,
repeat these steps for each entry.

10. Try to subscribe to a workspace again. For more information, see Connect to Azure
Virtual Desktop with the Remote Desktop client for macOS.

Display
In this section you'll find troubleshooting guidance for display issues with the Remote
Desktop client.

Blank screen or cursor skipping when using multiple

monitors
Using multiple monitors in certain topologies can cause issues such as blank screens or
the cursor skipping. Often this is a result of customized display configurations that
create edge cases for the client's graphics algorithm when Retina optimizations are
turned on, we're aware of these issues and plan to resolve them in future updates. For
now, if you encounter display issues such as these, use a different configuration or
disabling Retina optimization. To disable Retina optimization, see Display settings for
each remote desktop.

Issue isn't listed here

If your issue isn't listed here, see Troubleshooting overview, feedback, and support for
Azure Virtual Desktop for information about how to open an Azure support case for
Azure Virtual Desktop.
Troubleshoot the Remote Desktop client
for iOS and iPadOS when connecting to
Azure Virtual Desktop
Article • 11/21/2022

This article describes issues you may experience with the Remote Desktop client for iOS
and iPadOS when connecting to Azure Virtual Desktop and how to fix them.

General
In this section you'll find troubleshooting guidance for general issues with the Remote
Desktop client.

You don't see the expected resources

If you don't see the remote resources you're expecting to see in the app, check the
account you're using. If you've already signed in with a different account than the one
you want to use for Azure Virtual Desktop, you should first sign out, then sign in again
with the correct account. If you're using the Remote Desktop Web client, you can use an
InPrivate browser window to try a different account.

If you're using the correct account, make sure your application group is associated with
a workspace.

Your account is configured to prevent you from using this

device
If you come across an error saying Your account is configured to prevent you from
using this device. For more information, contact your system administrator, ensure the
user account was given the Virtual Machine User Login role on the VMs.

The user name or password is incorrect

If you can't sign in and keep receiving an error message that says your credentials are
incorrect, first make sure you're using the right credentials. If you keep seeing error
messages, check to make sure you've fulfilled the following requirements:
 Have you assigned the Virtual Machine User Login role-based access control
(RBAC) permission to the virtual machine (VM) or resource group for each user?
Does your Conditional Access policy exclude multi-factor authentication
requirements for the Azure Windows VM sign-in cloud application?

If you've answered "no" to either of those questions, you'll need to reconfigure your
multi-factor authentication. To reconfigure your multi-factor authentication, follow the
instructions in Enforce Azure Active Directory Multi-Factor Authentication for Azure
Virtual Desktop using Conditional Access.

） Important

VM sign-ins don't support per-user enabled or enforced Azure AD Multi-Factor

Authentication. If you try to sign in with multi-factor authentication on a VM, you
won't be able to sign in and will receive an error message.

If you can access your Azure AD sign-in logs through Log Analytics, you can see if
you've enabled multi-factor authentication and which Conditional Access policy is
triggering the event. The events shown are non-interactive user login events for the VM,
which means the IP address will appear to come from the external IP address that your
VM accesses Azure AD from.

You can access your sign-in logs by running the following Kusto query:

Kusto

let UPN = "userupn";

AADNonInteractiveUserSignInLogs
| where UserPrincipalName == UPN
| where AppId == "38aa3b87-a06d-4817-b275-7a316988d93b"
| project ['Time']=(TimeGenerated), UserPrincipalName,
AuthenticationRequirement, ['MFA Result']=ResultDescription, Status,
ConditionalAccessPolicies, DeviceDetail, ['Virtual Machine IP']=IPAddress,
['Cloud App']=ResourceDisplayName
| order by ['Time'] desc

Authentication and identity

In this section you'll find troubleshooting guidance for authentication and identity issues
with the Remote Desktop client.

Delete existing security tokens

If you're having issues signing in due to a cached token that has expired, do the
following:

1. Open the Settings app for iOS or iPadOS.

2. From the list of apps, select RD Client.

3. Under AVD Security Tokens, toggle Delete on App Launch to On.

4. Try to subscribe to a workspace again. For more information, see Connect to Azure
Virtual Desktop with the Remote Desktop client for iOS and iPadOS.

5. Toggle Delete on App Launch to Off once you can connect again.

Issue isn't listed here

If your issue isn't listed here, see Troubleshooting overview, feedback, and support for
Azure Virtual Desktop for information about how to open an Azure support case for
Azure Virtual Desktop.
Troubleshoot the Remote Desktop client
for Android and Chrome OS when
connecting to Azure Virtual Desktop
Article • 11/21/2022

This article describes issues you may experience with the Remote Desktop client for
Android and Chrome OS when connecting to Azure Virtual Desktop and how to fix
them.

General
In this section you'll find troubleshooting guidance for general issues with the Remote
Desktop client.

You don't see the expected resources

If you don't see the remote resources you're expecting to see in the app, check the
account you're using. If you've already signed in with a different account than the one
you want to use for Azure Virtual Desktop, you should first sign out, then sign in again
with the correct account. If you're using the Remote Desktop Web client, you can use an
InPrivate browser window to try a different account.

If you're using the correct account, make sure your application group is associated with
a workspace.

Your account is configured to prevent you from using this

device
If you come across an error saying Your account is configured to prevent you from
using this device. For more information, contact your system administrator, ensure the
user account was given the Virtual Machine User Login role on the VMs.

The user name or password is incorrect

If you can't sign in and keep receiving an error message that says your credentials are
incorrect, first make sure you're using the right credentials. If you keep seeing error
messages, check to make sure you've fulfilled the following requirements:
 Have you assigned the Virtual Machine User Login role-based access control
(RBAC) permission to the virtual machine (VM) or resource group for each user?
Does your Conditional Access policy exclude multi-factor authentication
requirements for the Azure Windows VM sign-in cloud application?

If you've answered "no" to either of those questions, you'll need to reconfigure your
multi-factor authentication. To reconfigure your multi-factor authentication, follow the
instructions in Enforce Azure Active Directory Multi-Factor Authentication for Azure
Virtual Desktop using Conditional Access.

） Important

VM sign-ins don't support per-user enabled or enforced Azure AD Multi-Factor

Authentication. If you try to sign in with multi-factor authentication on a VM, you
won't be able to sign in and will receive an error message.

If you can access your Azure AD sign-in logs through Log Analytics, you can see if
you've enabled multi-factor authentication and which Conditional Access policy is
triggering the event. The events shown are non-interactive user login events for the VM,
which means the IP address will appear to come from the external IP address that your
VM accesses Azure AD from.

You can access your sign-in logs by running the following Kusto query:

Kusto

let UPN = "userupn";

AADNonInteractiveUserSignInLogs
| where UserPrincipalName == UPN
| where AppId == "38aa3b87-a06d-4817-b275-7a316988d93b"
| project ['Time']=(TimeGenerated), UserPrincipalName,
AuthenticationRequirement, ['MFA Result']=ResultDescription, Status,
ConditionalAccessPolicies, DeviceDetail, ['Virtual Machine IP']=IPAddress,
['Cloud App']=ResourceDisplayName
| order by ['Time'] desc

Authentication and identity

In this section you'll find troubleshooting guidance for authentication and identity issues
with the Remote Desktop client.
Error code 2607 - We couldn't connect to the remote PC
because your credentials did not work
If you come across an error saying We couldn't connect to the remote PC because your
credentials did not work. The remote machine is AADJ joined. with error code 2607
when using the Android client, ensure that you enabled connections from other clients.

Issue isn't listed here

If your issue isn't listed here, see Troubleshooting overview, feedback, and support for
Azure Virtual Desktop for information about how to open an Azure support case for
Azure Virtual Desktop.
Troubleshoot the Remote Desktop app
for Windows when connecting to Azure
Virtual Desktop
Article • 04/18/2023

This article describes issues you may experience with the Remote Desktop app for
Windows when connecting to Azure Virtual Desktop and how to fix them.

General
In this section you'll find troubleshooting guidance for general issues with the Remote
Desktop app.

You don't see the expected resources

If you don't see the remote resources you're expecting to see in the app, check the
account you're using. If you've already signed in with a different account than the one
you want to use for Azure Virtual Desktop, you should first sign out, then sign in again
with the correct account. If you're using the Remote Desktop Web client, you can use an
InPrivate browser window to try a different account.

If you're using the correct account, make sure your application group is associated with
a workspace.

Your account is configured to prevent you from using this

device
If you come across an error saying Your account is configured to prevent you from
using this device. For more information, contact your system administrator, ensure the
user account was given the Virtual Machine User Login role on the VMs.

The user name or password is incorrect

If you can't sign in and keep receiving an error message that says your credentials are
incorrect, first make sure you're using the right credentials. If you keep seeing error
messages, check to make sure you've fulfilled the following requirements:
 Have you assigned the Virtual Machine User Login role-based access control
(RBAC) permission to the virtual machine (VM) or resource group for each user?
Does your Conditional Access policy exclude multi-factor authentication
requirements for the Azure Windows VM sign-in cloud application?

If you've answered "no" to either of those questions, you'll need to reconfigure your
multi-factor authentication. To reconfigure your multi-factor authentication, follow the
instructions in Enforce Azure Active Directory Multi-Factor Authentication for Azure
Virtual Desktop using Conditional Access.

） Important

VM sign-ins don't support per-user enabled or enforced Azure AD Multi-Factor

Authentication. If you try to sign in with multi-factor authentication on a VM, you
won't be able to sign in and will receive an error message.

If you can access your Azure AD sign-in logs through Log Analytics, you can see if
you've enabled multi-factor authentication and which Conditional Access policy is
triggering the event. The events shown are non-interactive user login events for the VM,
which means the IP address will appear to come from the external IP address that your
VM accesses Azure AD from.

You can access your sign-in logs by running the following Kusto query:

Kusto

let UPN = "userupn";

AADNonInteractiveUserSignInLogs
| where UserPrincipalName == UPN
| where AppId == "38aa3b87-a06d-4817-b275-7a316988d93b"
| project ['Time']=(TimeGenerated), UserPrincipalName,
AuthenticationRequirement, ['MFA Result']=ResultDescription, Status,
ConditionalAccessPolicies, DeviceDetail, ['Virtual Machine IP']=IPAddress,
['Cloud App']=ResourceDisplayName
| order by ['Time'] desc

Issue isn't listed here

If your issue isn't listed here, see Troubleshooting overview, feedback, and support for
Azure Virtual Desktop for information about how to open an Azure support case for
Azure Virtual Desktop.
Diagnose graphics performance issues
in Remote Desktop
Article • 06/08/2021

To diagnose experience quality issues with your remote sessions, counters have been
provided under the RemoteFX Graphics section of Performance Monitor. This article
helps you pinpoint and fix graphics-related performance bottlenecks during Remote
Desktop Protocol (RDP) sessions using these counters.

Find your remote session name

You'll need your remote session name to identify the graphics performance counters.
Follow the instructions in this section to identify your instance of each counter.

1. Open the Windows command prompt from your remote session.

2. Run the qwinsta command and find your session name.

If your session is hosted in a multi-session virtual machine (VM): Your

instance of each counter is suffixed by the same number that suffixes your
session name, such as "rdp-tcp 37."
If your session is hosted in a VM that supports virtual Graphics Processing
Units (vGPU): Your instance of each counter is stored on the server instead of
in your VM. Your counter instances include the VM name instead of the
number in the session name, such as "Win8 Enterprise VM."

７ Note

While counters have RemoteFX in their names, they include remote desktop
graphics in vGPU scenarios as well.

Access performance counters

After you've determined your remote session name, follow these instructions to collect
the RemoteFX Graphics performance counters for your remote session.

1. Select Start > Administrative Tools > Performance Monitor.

2. In the Performance Monitor dialog box, expand Monitoring Tools, select
Performance Monitor, and then select Add.
 3. In the Add Counters dialog box, from the Available Counters list, expand the
section for RemoteFX Graphics.
4. Select the counters to be monitored.
5. In the Instances of selected object list, select the specific instances to be
monitored for the selected counters and then select Add. To select all available
counter instances, select All instances.
6. After adding the counters, select OK.

The selected performance counters will appear on the Performance Monitor screen.

７ Note

Each active session on a host has its own instance of each performance counter.

Diagnose issues
Graphics-related performance issues generally fall into four categories:

Low frame rate

Random stalls
High input latency
Poor frame quality

Addressing low frame rate, random stalls, and high input

latency
First check the Output Frames/Second counter. It measures the number of frames made
available to the client. If this value is less than the Input Frames/Second counter, frames
are being skipped. To identify the bottleneck, use the Frames Skipped/Second counters.

There are three types of Frames Skipped/Second counters:

Frames Skipped/Second (Insufficient Server Resources)

Frames Skipped/Second (Insufficient Network Resources)
Frames Skipped/Second (Insufficient Client Resources)

A high value for any of the Frames Skipped/Second counters implies that the problem is
related to the resource the counter tracks. For example, if the client doesn't decode and
present frames at the same rate the server provides the frames, the Frames
Skipped/Second (Insufficient Client Resources) counter will be high.
If the Output Frames/Second counter matches the Input Frames/Second counter, yet
you still notice unusual lag or stalling, Average Encoding Time may be the culprit.
Encoding is a synchronous process that occurs on the server in the single-session
(vGPU) scenario and on the VM in the multi-session scenario. Average Encoding Time
should be under 33 ms. If Average Encoding Time is under 33 ms but you still have
performance issues, there may be an issue with the app or operating system you are
using.

For more information about diagnosing app-related issues, see User Input Delay
performance counters.

Because RDP supports an Average Encoding Time of 33 ms, it supports an input frame
rate up to 30 frames/second. Note that 33 ms is the maximum supported frame rate. In
many cases, the frame rate experienced by the user will be lower, depending on how
often a frame is provided to RDP by the source. For example, tasks like watching a video
require a full input frame rate of 30 frames/second, but less computationally intensive
tasks like infrequently editing a document result in a much lower value for Input
Frames/Second with no degradation in the user's experience quality.

Addressing poor frame quality

Use the Frame Quality counter to diagnose frame quality issues. This counter expresses
the quality of the output frame as a percentage of the quality of the source frame. The
quality loss may be due to RemoteFX, or it may be inherent to the graphics source. If
RemoteFX caused the quality loss, the issue may be a lack of network or server
resources to send higher-fidelity content.

Mitigation
If server resources are causing the bottleneck, try one of the following approaches to
improve performance:

Reduce the number of sessions per host.

Increase the memory and compute resources on the server.
Drop the resolution of the connection.

If network resources are causing the bottleneck, try one of the following approaches to
improve network availability per session:

Reduce the number of sessions per host.

Use a higher-bandwidth network.
Drop the resolution of the connection.
If client resources are causing the bottleneck, try one of the following approaches to
improve performance:

Install the most recent Remote Desktop client.

Increase memory and compute resources on the client machine.

７ Note

We currently don't support the Source Frames/Second counter. For now, the Source
Frames/Second counter will always display 0.

Next steps
To create a GPU optimized Azure virtual machine, see Configure graphics
processing unit (GPU) acceleration for Azure Virtual Desktop environment.
For an overview of troubleshooting and escalation tracks, see Troubleshooting
overview, feedback, and support.
To learn more about the service, see Windows Desktop environment.
Troubleshoot connections to Microsoft
Entra joined VMs
Article • 10/12/2023

） Important

This content applies to Azure Virtual Desktop with Azure Resource Manager Azure
Virtual Desktop objects.

Use this article to resolve issues with connections to Microsoft Entra joined session host
VMs in Azure Virtual Desktop.

All clients

Your account is configured to prevent you from using this

device
If you come across an error saying Your account is configured to prevent you from
using this device. For more information, contact your system administrator, ensure the
user account was given the Virtual Machine User Login role on the VMs.

The user name or password is incorrect

If you can't sign in and keep receiving an error message that says your credentials are
incorrect, first make sure you're using the right credentials. If you keep seeing error
messages, check to make sure you've fulfilled the following requirements:

Have you assigned the Virtual Machine User Login role-based access control
(RBAC) permission to the virtual machine (VM) or resource group for each user?
Does your Conditional Access policy exclude multifactor authentication
requirements for the Azure Windows VM sign-in cloud application?

If you've answered "no" to either of those questions, you'll need to reconfigure your
multifactor authentication. To reconfigure your multifactor authentication, follow the
instructions in Enforce Microsoft Entra multifactor authentication for Azure Virtual
Desktop using Conditional Access.

） Important
 VM sign-ins don't support per-user enabled or enforced Microsoft Entra multifactor
authentication. If you try to sign in with multifactor authentication on a VM, you
won't be able to sign in and will receive an error message.

If you can access your Microsoft Entra sign-in logs through Log Analytics, you can see if
you've enabled multifactor authentication and which Conditional Access policy is
triggering the event. The events shown are non-interactive user login events for the VM,
which means the IP address will appear to come from the external IP address that your
VM accesses Microsoft Entra ID from.

You can access your sign-in logs by running the following Kusto query:

Kusto

let UPN = "userupn";

AADNonInteractiveUserSignInLogs
| where UserPrincipalName == UPN
| where AppId == "38aa3b87-a06d-4817-b275-7a316988d93b"
| project ['Time']=(TimeGenerated), UserPrincipalName,
AuthenticationRequirement, ['MFA Result']=ResultDescription, Status,
ConditionalAccessPolicies, DeviceDetail, ['Virtual Machine IP']=IPAddress,
['Cloud App']=ResourceDisplayName
| order by ['Time'] desc

Windows Desktop client

The logon attempt failed

If you come across an error saying The logon attempt failed on the Windows Security
credential prompt, verify the following:

You're using a device that is Microsoft Entra joined or Microsoft Entra hybrid joined
to the same Microsoft Entra tenant as the session host.
The PKU2U protocol is enabled on both the local PC and the session host.
Per-user multifactor authentication is disabled for the user account as it's not
supported for Microsoft Entra joined VMs.

The sign-in method you're trying to use isn't allowed

If you come across an error saying The sign-in method you're trying to use isn't
allowed. Try a different sign-in method or contact your system administrator, you
have Conditional Access policies restricting access. Follow the instructions in Enforce
Microsoft Entra multifactor authentication for Azure Virtual Desktop using Conditional
Access to enforce Microsoft Entra multifactor authentication for your Microsoft Entra
joined VMs.

A specified logon session does not exist. It may already

have been terminated.
If you come across an error that says, An authentication error occurred. A specified
logon session does not exist. It may already have been terminated, verify that you
properly created and configured the Kerberos server object when configuring single
sign-on.

Web client

Sign in failed. Please check your username and password

and try again
If you come across an error saying Oops, we couldn't connect to NAME. Sign in failed.
Please check your username and password and try again. when using the web client,
ensure that you enabled connections from other clients.

We couldn't connect to the remote PC because of a

security error
If you come across an error saying Oops, we couldn't connect to NAME. We couldn't
connect to the remote PC because of a security error. If this keeps happening, ask
your admin or tech support for help., you have Conditional Access policies restricting
access. Follow the instructions in Enforce Microsoft Entra multifactor authentication for
Azure Virtual Desktop using Conditional Access to enforce Microsoft Entra multifactor
authentication for your Microsoft Entra joined VMs.

Android and Chrome OS client

Error code 2607 - We couldn't connect to the remote PC

because your credentials did not work
If you come across an error saying We couldn't connect to the remote PC because your
credentials did not work. The remote machine is AADJ joined. with error code 2607
when using the Android client, ensure that you enabled connections from other clients.

Provide feedback
Visit the Azure Virtual Desktop Tech Community to discuss the Azure Virtual Desktop
service with the product team and active community members.

Next steps
For an overview on troubleshooting Azure Virtual Desktop and the escalation
tracks, see Troubleshooting overview, feedback, and support.
To troubleshoot issues while creating an Azure Virtual Desktop environment and
host pool in an Azure Virtual Desktop environment, see Environment and host pool
creation.
To troubleshoot issues while configuring a virtual machine (VM) in Azure Virtual
Desktop, see Session host virtual machine configuration.
To troubleshoot issues related to the Azure Virtual Desktop agent or session
connectivity, see Troubleshoot common Azure Virtual Desktop Agent issues.
To troubleshoot issues when using PowerShell with Azure Virtual Desktop, see
Azure Virtual Desktop PowerShell.
To go through a troubleshoot tutorial, see Tutorial: Troubleshoot Resource
Manager template deployments.
Troubleshoot device redirections for
Azure Virtual Desktop
Article • 11/14/2023

） Important

This content applies to Azure Virtual Desktop with Azure Resource Manager Azure
Virtual Desktop objects.

Use this article to resolve issues with device redirections in Azure Virtual Desktop.

WebAuthn redirection
If WebAuthn requests from the session aren't redirected to the local PC, check to make
sure you've fulfilled the following requirements:

Are you using supported operating systems for in-session passwordless

authentication on both the local PC and session host?
Have you enabled WebAuthn redirection as a device redirection?

If you've answered "yes" to both of the earlier questions but still don't see the option to
use Windows Hello for Business or security keys when accessing Microsoft Entra
resources, make sure you've enabled the FIDO2 security key method for the user
account in Microsoft Entra ID. To enable this method, follow the directions in Enable
FIDO2 security key method.

If a user signs in to the session host with a single-factor credential like username and
password, then tries to access a Microsoft Entra resource that requires MFA, they may
not be able to use Windows Hello for Business. The user should follow these instructions
to authenticate properly:

1. If the user isn't prompted for a user account, they should first sign out.
2. On the account selection page, select Use another account.
3. Next, choose Sign-in options at the bottom of the window.
4. After that, select Sign in with Windows Hello or a security key. They should see an
option to select Windows Hello or security authentication methods.

Provide feedback
Visit the Azure Virtual Desktop Tech Community to discuss the Azure Virtual Desktop
service with the product team and active community members.

Next steps
For an overview on troubleshooting Azure Virtual Desktop and the escalation
tracks, see Troubleshooting overview, feedback, and support.
To troubleshoot issues while creating an Azure Virtual Desktop environment and
host pool in an Azure Virtual Desktop environment, see Environment and host pool
creation.
To troubleshoot issues while configuring a virtual machine (VM) in Azure Virtual
Desktop, see Session host virtual machine configuration.
To troubleshoot issues related to the Azure Virtual Desktop agent or session
connectivity, see Troubleshoot common Azure Virtual Desktop Agent issues.
To troubleshoot issues when using PowerShell with Azure Virtual Desktop, see
Azure Virtual Desktop PowerShell.
To go through a troubleshooting tutorial, see Tutorial: Troubleshoot Resource
Manager template deployments.
Troubleshoot Azure Virtual Desktop
Insights
Article • 09/12/2023

This article presents known issues and solutions for common problems in Azure Virtual
Desktop Insights.

） Important

The Log Analytics Agent is currently being deprecated . If you use the Log
Analytics Agent for Azure Virtual Desktop support, you'll eventually need to
migrate to the Azure Monitor Agent by August 31, 2024.

Azure Monitor Agent

Issues with configuration and setup

If the configuration workbook isn't working properly to automate setup, you can
use these resources to set up your environment manually:

To manually enable diagnostics or access the Log Analytics workspace, see

Send Azure Virtual Desktop diagnostics to Log Analytics.
To install the Azure Monitor Agent extension on a session host manually, see
Azure Monitor Agent virtual machine extension for Windows.
To set up a new Log Analytics workspace, see Create a Log Analytics
workspace in the Azure portal.
To validate the Data Collection Rules in use, see View data collection rules.

My data isn't displaying properly

If your data isn't displaying properly, check the following common solutions:

First, make sure you've set up correctly with the configuration workbook as
described in Use Azure Virtual Desktop Insights to monitor your deployment.
If you're missing any counters or events, the data associated with them won't
appear in the Azure portal.
 Check your access permissions & contact the resource owners to request
missing permissions; anyone monitoring Azure Virtual Desktop requires the
following permissions:
Read-access to the Azure resource groups that hold your Azure Virtual
Desktop resources
Read-access to the subscription's resource groups that hold your Azure
Virtual Desktop session hosts
Read-access to whichever Log Analytics workspaces you're using
You may need to open outgoing ports in your server's firewall to allow Azure
Monitor to send data to the portal. To learn how to do this, see Firewall
requirements.
If you're not seeing data from recent activity, you may need to wait for 15
minutes and refresh the feed. Azure Monitor has a 15-minute latency period
for populating log data. To learn more, see Log data ingestion time in Azure
Monitor.

If you're not missing any information but your data still isn't displaying properly,
there may be an issue in the query or the data sources. For more information, see
known issues and limitations.

I want to customize Azure Virtual Desktop

Insights
Azure Virtual Desktop Insights uses Azure Monitor Workbooks. Workbooks lets you save
a copy of the Azure Virtual Desktop workbook template and make your own
customizations.

By design, custom Workbook templates will not automatically adopt updates from the
products group. For more information, see Troubleshooting workbook-based insights
and the Workbooks overview.

I can't interpret the data

Learn more about data terms at the Azure Virtual Desktop Insights glossary.

Azure Monitor Agent

The data I need isn't available

 If this article doesn't have the data point you need to resolve an issue, you can send
us feedback at the following places:

To learn how to leave feedback, see Troubleshooting overview, feedback, and

support for Azure Virtual Desktop.
You can also leave feedback for Azure Virtual Desktop at the Azure Virtual
Desktop feedback hub .

Known issues and limitations

The following are issues and limitations we're aware of and working to fix:

To save favorite settings, you have to save a custom template of the workbook.
Custom templates won't automatically adopt updates from the product group.
The configuration workbook will sometimes show query failed errors when loading
your selections. Refresh the query, reenter your selection if needed, and the error
should resolve itself.
Some error messages aren't phrased in a user-friendly way, and not all error
messages are described in documentation.
The total sessions performance counter can over-count sessions by a small number
and your total sessions may appear to go above your Max Sessions limit.
Available sessions count doesn't reflect scaling policies on the host pool.
Do you see contradicting or unexpected connection times? While rare, a
connection's completion event can go missing and can impact some visuals and
metrics.
Time to connect includes the time it takes users to enter their credentials; this
correlates to the experience but in some cases can show false peaks.

Next steps
To get started, see Use Azure Virtual Desktop Insights to monitor your deployment.
To estimate, measure, and manage your data storage costs, see Estimate Azure
Monitor costs.
Check out our glossary to learn more about terms and concepts related to Azure
Virtual Desktop Insights.
Troubleshoot Azure Files authentication
with Active Directory
Article • 10/12/2023

This article describes common issues related to Azure Files authentication with an Active
Directory Domain Services (AD DS) domain or Microsoft Entra Domain Services
managed domain, and suggestions for how to fix them.

My group membership isn't working

When you add a virtual machine (VM) to an AD DS group, you must restart that VM to
activate its membership within the service.

I can't add my storage account to my AD DS

domain
First, check Unable to mount Azure file shares with AD credentials to see if your problem
is listed there.

Here are the most common reasons users may come across issues:

Ignoring any warning messages that appear when creating the account in
PowerShell. Ignoring warnings may cause the new account to have incorrectly
configured settings. To fix this issue, you should delete the domain account that
represents the storage account and try again.

The account is using an incorrect organizational unit (OU). To fix this issue, reenter
the OU information with the following syntax:

PowerShell

DC=ouname,DC=domainprefix,DC=topleveldomain

For example:

PowerShell

DC=storageAccounts,DC=wvdcontoso,DC=com
 If the storage account doesn't instantly appear in your Microsoft Entra ID, don't
worry. It usually takes 30 minutes for a new storage account to sync with Microsoft
Entra ID, so be patient. If the sync doesn't happen after 30 minutes, see the next
section.

My AD DS group won't sync to Microsoft Entra

ID
If your storage account doesn't automatically sync with Microsoft Entra ID after 30
minutes, you'll need to force the sync by using this script .

My storage account says it needs additional

permissions
If your storage account needs additional permissions, you may not have assigned the
required Azure role-based access control (RBAC) role to users or NTFS permissions. To
fix this issue, make sure you've assigned one of these permissions to users who need to
access the share:

The Storage File Data SMB Share Contributor RBAC permission.

The Read & Execute and List folder content NTFS permissions.

Next steps
If you need to refresh your memory about the Azure Files setup process, see Set up
FSLogix Profile Container with Azure Files and Active Directory Domain Services or
Microsoft Entra Domain Services.
Troubleshooting connection quality in
Azure Virtual Desktop
Article • 07/01/2024

If you experience issues with graphical quality in your Azure Virtual Desktop connection,
you can use the Network Data diagnostic table to figure out what's going on. Graphical
quality during a connection is affected by many factors, such as network configuration,
network load, or virtual machine (VM) load. The Connection Network Data table can
help you figure out which factor is causing the issue.

Addressing round trip time

In Azure Virtual Desktop, latency up to 150 ms shouldn’t impact user experience that
doesn't involve rendering or video. Latencies between 150 ms and 200 ms should be
fine for text processing. Latency above 200 ms may impact user experience.

In addition, the Azure Virtual Desktop connection depends on the internet connection
of the machine the user is using the service from. Users may lose connection or
experience input delay in one of the following situations:

The user doesn't have a stable local internet connection and the latency is over 200
ms.
The network is saturated or rate-limited.

To reduce round trip time:

Reduce the physical distance between end-users and the server. When possible,
your end-users should connect to VMs in the Azure region closest to them.

Check your network configuration. Firewalls, ExpressRoutes, and other network

configuration features can affect round trip time.

Check if something is interfering with your network bandwidth. If your network's

available bandwidth is too low, you may need to change your network settings to
improve connection quality. Make sure your configured settings follow our
network guidelines.

Check your compute resources by looking at CPU utilization and available memory
on your VM. You can view your compute resources by following the instructions in
Configuring performance counters to set up a performance counter to track
certain information. For example, you can use the Processor Information(_Total)\%
 Processor Time counter to track CPU utilization, or the Memory(*)\Available
Mbytes counter for available memory. Both of these counters are enabled by
default in Azure Virtual Desktop Insights. If both counters show that CPU usage is
too high or available memory is too low, your VM size or storage may be too small
to support your users' workloads, and you'll need to upgrade to a larger size.

Optimize VM latency by reviewing Azure

network round-trip latency statistics
Round-trip time (RTT) latency from the client's network to the Azure region that contains
the host pools should be less than 150 ms. To see which locations have the best latency,
look up your desired location in Azure network round-trip latency statistics. To optimize
for network performance, we recommend you create session hosts in the Azure region
closest to your users. We recommend you review the statistics every two to three
months to make sure the optimal location hasn't changed as Azure Virtual Desktop rolls
out to new areas.

My connection data isn't going to Azure Log

Analytics
If your Connection Network Data Logs aren't going to Azure Log Analytics every two
minutes, you'll need to check the following things:

Make sure you've configured the diagnostic settings correctly.

Make sure you've configured the VM correctly.
Make sure you're actively using the session. Sessions that aren't actively used won't
send data to Azure Log Analytics as frequently.

Next steps
For more information about how to diagnose connection quality, see Connection quality
in Azure Virtual Desktop.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Troubleshoot RDP Shortpath for public
networks
Article • 11/01/2024

If you're having issues when using RDP Shortpath for public networks, use the
information in this article to help troubleshoot.

Verifying STUN/TURN server connectivity and

NAT type
You can validate connectivity to the STUN/TURN endpoints and verify that basic UDP
functionality works by running the executable avdnettest.exe . Here's a download link to
the latest version of avdnettest.exe .

You can run avdnettest.exe by double-clicking the file, or running it from the command
line. The output will look similar to this if connectivity is successful:

Checking DNS service ... OK

Checking TURN support ... OK
Checking ACS server 20.202.68.109:3478 ... OK
Checking ACS server 20.202.21.66:3478 ... OK

You have access to TURN servers and your NAT type appears to be 'cone
shaped'.
Shortpath for public networks is very likely to work on this host.

Error information logged in Log Analytics

Here are some error titles you may see logged in Log Analytics and what they mean.

ShortpathTransportNetworkDrop
For TCP we differentiate two different paths - the session host to the gateway, and the
gateway to client - but that doesn’t make sense for UDP since there isn't a gateway. The
other distinction for TCP is that in many cases one of the endpoints, or maybe some
infrastructure in the middle, generates a TCP Reset packet (RST control bit), which causes
a hard shutdown of the TCP connection. This works because TCP RST (and also TCP FIN
for graceful shutdown) is handled by the operating system and also some routers, but
not the application. This means that if an application crashes, Windows will notify the
peer that the TCP connection is gone, but no such mechanism exists for UDP.

Most connection errors, such as ConnectionFailedClientDisconnect and

ConnectionFailedServerDisconnect, are caused by TCP Reset packets, not a timeout.
There's no way for the operating system or a router to signal anything with UDP, so the
only way to know the peer is gone is by a timeout message.

ShortpathTransportReliabilityThresholdFailure
This error gets triggered if a specific packet doesn’t get through, even though the
connection isn't dead. The packet is resent up to 50 times, so it's unlikely but can
happen in the following scenarios:

1. The connection was very fast and stable before it suddenly stops working. The
timeout required until a packet is declared lost depends on the round-trip time
(RTT) between the client and session host. If the RTT is very low, one side can try to
resend a packet very frequently, so the time it takes to reach 50 tries can be less
than the usual timeout value of 17 seconds.

2. The packet is very large. The maximum packet size that can be transmitted is
limited. The size of the packet is probed, but it can fluctuate and sometimes shrink.
If that happens, it's possible that the packet being sent is too large and will
consistently fail.

ConnectionBrokenMissedHeartbeatThresholdExceeded
This is an RDP-level timeout. Due to misconfiguration, the RDP level timeout would
sometimes trigger before the UDP-level timeout.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Troubleshoot multimedia redirection for
Azure Virtual Desktop
Article • 10/15/2024

） Important

Call redirection is currently in PREVIEW. See the Supplemental Terms of Use for
Microsoft Azure Previews for legal terms that apply to Azure features that are in
beta, preview, or otherwise not yet released into general availability.

This article describes known issues and troubleshooting instructions for multimedia
redirection for Azure Virtual Desktop and Windows 365.

Known issues and limitations

Here are the current known issues and limitations for multimedia redirection:

In the first browser tab a user opens, the extension pop-up might show the
message The extension is not loaded or a message that says video playback or
call redirection isn't supported while redirection is working correctly in the tab. You
can resolve this issue by opening a second tab.

Multimedia redirection only works on Windows. Any other platforms, such as the
macOS, iOS, Android, or connecting to a remote session in a web browser on any
platform, don't support multimedia redirection.

Multimedia redirection doesn't work as expected if the session hosts in your

deployment block cmd.exe .

If you aren't using the default Windows size settings for video players, such as not
fitting the player to window, not maximizing the window, parts of video players
might not appear correctly. If you encounter this issue, you should change the
settings back to the default settings.

If your monitor or browser scale factor isn't set to 100%, you might see a grey
pattern appear on the video screen.

Known issues for video playback redirection

Video playback redirection doesn't support protected content.
 When you resize the video window, the window's size adjusts faster than the video
itself. You also see this issue when minimizing and maximizing the window.

If you access a video site, sometimes the video remains in a loading or buffering
state but never actually start playing. For now, you can make videos load again by
signing out of your remote session and signing in again.

Known issues for call redirection

Call redirection only works for WebRTC-based audio calls on the sites listed in Call
redirection.

When you disconnect from a remote session, call redirection might stop working.
You can make redirection start working again by refreshing the webpage.

If you see issues on a supported WebRTC audio calling site and enabled the Enable
video playback for all sites setting in the multimedia redirection extension pop-
up, disable the setting and try again.

The MSI installer doesn't install the browser extension

If the .msi file doesn't install the browser extension, you can install the multimedia
redirection extension from the Microsoft Edge Store or Google Chrome Store. You
need to use the following links as the extension isn't searchable:
Multimedia redirection browser extension (Microsoft Edge)
Multimedia browser extension (Google Chrome)

Installing the extension on host machines with the MSI installer prompts users to
either accept the extension the first time they open the browser or display a
warning or error message. If users deny this prompt, it can cause the extension to
not load. To avoid this issue, install the extensions by editing the group policy.

Sometimes the host and client version number disappears from the extension
status message, which prevents the extension from loading on websites that
support it. If you installed the extension correctly, this issue is because your host
machine doesn't have the latest C++ Redistributable installed. To fix this issue,
install the latest supported Visual C++ Redistributable downloads.

Getting help for call redirection and video

playback
If you can start a call with multimedia redirection enabled and can see the green phone
icon on the extension icon while calling, but the call quality is low, you should contact
the app provider for help.

If calls aren't going through, certain features don't work as expected while multimedia
redirection is enabled, or multimedia redirection doesn't enable at all, you must submit
a Microsoft support ticket.

If you encounter any video playback issues that this guide doesn't address or resolve,
submit a Microsoft support ticket.

Collect logs
If a web page isn't working as expected with multimedia redirection, you can collect logs
to help troubleshoot the issue. To collect logs:

1. Select the extension icon in your browser.

2. Select Show Advanced Settings.

3. For Collect logs, select Start.

4. Reproduce the issue on the web page, then select the extension icon again and for
Collect logs, select Stop. Your browser automatically prompts you to download
one or more log files that you can save and use with support cases.

Next steps
For more information about this feature and how it works, see What is multimedia
redirection for Azure Virtual Desktop?.

To learn how to use this feature, see Multimedia redirection for Azure Virtual Desktop.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Troubleshoot Microsoft Teams for Azure
Virtual Desktop
Article • 06/20/2024

This article describes known issues and limitations for Teams on Azure Virtual Desktop,
as well as how to log issues and contact support.

Known issues and limitations

Using Teams in a virtualized environment is different from using Teams in a
nonvirtualized environment. For more information about the limitations of Teams in
virtualized environments, check out Teams for Virtualized Desktop Infrastructure.

Client deployment, installation, and set up

With per-machine installation, Teams on VDI isn't automatically updated the same
way non-VDI Teams clients are. To update the client, you'll need to update the VM
image by installing a new MSI.
Media optimization for Teams is only supported for the Remote Desktop client on
machines running Windows 10 or later or macOS 10.14 or later.
Use of explicit HTTP proxies defined on the client endpoint device should work,
but isn't supported.
Zoom in/zoom out of chat windows isn't supported.
Media optimizations isn't supported for Teams running as a RemoteApp on macOS
endpoints.

Calls and meetings

Incoming and outgoing video stream resolution is limited to 720p.
The Teams app doesn't support HID buttons or LED controls with other devices.
This feature doesn't support uploading custom background images.
This feature doesn't support taking screenshots for incoming videos from the
virtual machine (VM). As a workaround, we recommend you minimize the session
desktop window and screenshot from the client machine instead.
This feature doesn't support content sharing for redirected videos during screen
sharing and application window sharing.
The following issues occur during application window sharing:
 You can't select minimized windows. In order to select windows, you'll need to
maximize them first.
If you've opened a window overlapping the window you're currently sharing
during a meeting, the contents of the shared window that are covered by the
overlapping window won't update for meeting users.
If you're sharing admin windows for programs like Task Manager in Windows,
meeting participants may see a black area where the presenter toolbar or call
monitor is located.
Switching tenants can result in call-related issues such as screen sharing not
rendering correctly. You can mitigate these issues by restarting your Teams client.
Teams doesn't support the ability to be on a native Teams call and a Teams call in
the Azure Virtual Desktop session simultaneously while connected to a HID device.

For Teams known issues that aren't related to virtualized environments, see Support
Teams in your organization.

Remote Desktop WebRTC Redirector Service

The Remote Desktop WebRTC Redirector Service isn't pre-installed on the following
Azure marketplace images:

Windows 11 Enterprise multi-session + Microsoft 365 Apps Version 23H2 (build

22631.3593).
Windows 11 Enterprise multi-session + Microsoft 365 Apps Version 22H2 (build
22621.3593).

To resolve the issue, either redeploy session hosts using the latest marketplace image
where the WebRTC Redirector Service is pre-installed, or install it separately. You can
find the download link and steps at Install the Remote Desktop WebRTC Redirector
Service.

Collect Teams logs

If you encounter issues with the Teams desktop app in your Azure Virtual Desktop
environment, collect client logs under %appdata%\Microsoft\Teams\logs.txt on the
host VM.

If you encounter issues with calls and meetings, you can start collecting Teams
diagnostic logs with the key combination Ctrl + Alt + Shift + 1. Logs will be written to
%userprofile%\Downloads\MSTeams Diagnostics Log DATE_TIME.txt on the host VM.
Contact Microsoft Teams support
To contact Microsoft Teams support, go to the Microsoft 365 admin center.

Next steps
Learn more about how to set up Teams on Azure Virtual Desktop at Use Microsoft
Teams on Azure Virtual Desktop.

Learn more about the WebRTC Redirector Service for Teams on Azure Virtual Desktop at
What's new in the WebRTC Redirector Service.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Troubleshoot custom image templates
in Azure Virtual Desktop
Article • 06/24/2024

Custom image templates in Azure Virtual Desktop enable you to easily create a custom
image that you can use when deploying session host virtual machines (VMs). This article
helps troubleshoot some issues you could run into.

General troubleshooting when creating an

image
Azure Image Builder uses Hashicorp Packer to create images. Packer outputs all log
entries to a file called customization.log. By default this file is located in a resource
group that Azure Image Builder created automatically with the naming convention
IT_<ResourceGroupName>_<TemplateName>_<GUID> . You can override this naming by

specifying your own name in the template creation phase.

In this resource group is a storage account with a blob container called packerlogs. In
the container is a folder named with a GUID in which you'll find the log file. Entries for
built-in scripts you use to customize your image begin Starting AVD AIB Customization:
{Script name}: {Timestamp}, to help you locate any errors related to the scripts.

To learn how to interpret Azure Image Builder logs, see Troubleshoot Azure VM Image
Builder.

） Important

Microsoft Support doesn't handle issues for any customer created scripts, or any
scripts or templates copied from a Microsoft repository and modified. You are
welcome to collaborate and improve these tools in our GitHub repository , where
you can open an issue. For more information, see Why do we not support
customer or third party scripts?

Resource group must be empty

If you specify your own resource group for Azure Image Builder to use, then it needs to
be empty before the image build starts. This means that if you want to reuse an existing
resource group for this purpose you'll just need to delete all the resources within it.
Alternatively, if you need to keep these items you can specify another new resource
group on the build properties tab of the template creation.

Script is unavailable
If you see the message Resource <URI> is unavailable. Please check the file exists, and
that Image Builder can access it, check the Uniform Resource Identifier (URI) for your
script. This needs to be a publicly available location, such as GitHub or a web service.

Azure Compute Gallery VM image definition

generation mismatch
If you see the message Validation failed: Error with Hyper-V Version validation (cross-
generation for multiple Hyper-V Versions is not supported). The provided SIG:
<Resource ID> has a different Hyper-V Generation <version> than source image
<version>, make sure that the generation of your source image is the same as the
generation you specified for your Azure Compute Gallery VM image definition.

The generation for the source image is shown when you select the image you want to
use. You can check the generation of the VM image definition in the Azure portal, Azure
CLI using the az sig image-definition list reference command, or PowerShell using the
Get-AzGalleryImageDefinition cmdlet.

PrivateLinkService Network Policy is not

disabled for the given subnet
If you receive the error message starting PrivateLinkService Network Policy is not
disabled for the given subnet, you need to disable the private service policy on the
subnet. For more information, see Disable private service policy on the subnet.

Issues installing or enabling additional

languages on Windows 10 images
Additional languages can be added by custom image templates, which uses the Install-
Language PowerShell cmdlet. If you have issues installing or enabling additional
languages on Windows 10 Enterprise and Windows 10 Enterprise multi-session images,
ensure that:
 You haven't disabled installing language packs by group policy on your image. The
policy setting can be found at the following locations:

Computer Configuration > Administrative Templates > Control Panel >

Regional and Language Options > Restrict Language Pack and Language
Feature Installation

User Configuration > Administrative Templates > Control Panel > Regional
and Language Options > Restrict Language Pack and Language Feature
Installation

Your session hosts can connect to Windows Update to download languages and
latest cumulative updates.

Can't progress from the source image tab in

the Azure portal
When you create a custom image template in the Azure portal, you might not be able to
progress from the Source image tab if you select the Azure Compute Gallery as the
Source type. A red X appears next to the tab name. As a workaround, select Previous to
return to the Basics tab, then select Next to return to the Source image tab. You should
now be able to progress to the next tab and a green check mark appears next to the tab
name.

Authorization error occurred during Azure

Container Groups operation
Custom image templates requires the Microsoft.ContainerInstance resource provider
registered on your subscription due to the dependency on Azure Image Builder. If you
receive the error The client '<GUID>' with object id '<GUID>' does not have
authorization to perform action 'Microsoft.ContainerInstance/register/action' over

scope '/subscriptions/<subscription ID>' or the scope is invalid , you need to

register the Microsoft.ContainerInstance resource provider on your subscription. Once

you register the resource provider, try the action again. For information on how you can
check their registration status and how to register them if needed, see Azure resource
providers and types.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Troubleshoot app attach in Azure Virtual
Desktop
Article • 06/06/2024

If you're having issues when using app attach, use the information in this article to help
troubleshoot.

Check file share access

To validate that your session hosts have the necessary access to a file share containing
your MSIX images, you can use PsExec.

1. Download and install PsExec from Microsoft Sysinternals on a session host in your
host pool.

2. Open PowerShell as an administrator and run the following command, which will
start a new PowerShell session as the system account:

PowerShell

PsExec.exe -s -i powershell.exe

3. Verify that the context of the PowerShell session is the system account by running
the following command:

PowerShell

whoami

The output should be the following:

Output

nt authority\system

4. Mount an MSIX image from the file share manually by using one of the following
examples, changing the UNC paths to your own values.

To mount an MSIX image in .vhdx format, run the following command:

PowerShell
 Mount-DiskImage -ImagePath \\fileshare\msix\MyApp.vhdx

To mount an MSIX image in .cim format, run the following commands. The
CimDiskImage PowerShell module from the PowerShell Gallery will be
installed, if it's not already.

PowerShell

# Install the CimDiskImage PowerShell module, if it's not already

installed.
If (!(Get-Module -ListAvailable | ? Name -eq CimDiskImage)) {
Install-Module CimDiskImage
}

# Import the CimDiskImage PowerShell module.

Import-Module CimDiskImage

# Mount the MSIX image

Mount-CimDiskImage -ImagePath \\fileshare\msix\MyApp.cim -
DriveLetter Z:

If the MSIX image mounts successfully, your session hosts have the correct
necessary access to the file share containing your MSIX images.

5. Dismount the MSIX image by using one of the following examples.

To dismount an MSIX image in .vhdx format, run the following command:

PowerShell

Dismount-DiskImage -ImagePath \\fileshare\msix\MyApp.vhdx

To dismount an MSIX image in .cim format, run the following commands:

PowerShell

Get-CimDiskImage | Dismount-CimDiskImage

Next steps
Test MSIX packages with app attach or MSIX app attach.
Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

az desktopvirtualization
Reference

７ Note

This reference is part of the desktopvirtualization extension for the Azure CLI
(version 2.55.0 or higher). The extension will automatically install the first time you
run an az desktopvirtualization command. Learn more about extensions.

Manage desktop virtualization.

Commands
ﾉ Expand table

Name Description Type Status

az desktopvirtualization applicationgroup Manage desktop virtualization Extension GA

application group.

az desktopvirtualization applicationgroup Create an application group. Extension GA

create

az desktopvirtualization applicationgroup Delete an application group. Extension GA

delete

az desktopvirtualization applicationgroup List application groups. Extension GA

list

az desktopvirtualization applicationgroup Show an application group. Extension GA

show

az desktopvirtualization applicationgroup Update an application group. Extension GA

update

az desktopvirtualization hostpool Manage desktop virtualization Extension GA

host pool.

az desktopvirtualization hostpool create Create a host pool. Extension GA

az desktopvirtualization hostpool delete Delete a host pool. Extension GA

az desktopvirtualization hostpool list List host pools. Extension GA

Name Description Type Status

az desktopvirtualization hostpool Registration token of the host Extension GA

retrieve-registration-token pool.

az desktopvirtualization hostpool show Show a host pool. Extension GA

az desktopvirtualization hostpool update Update a host pool. Extension GA

az desktopvirtualization workspace Manage desktop virtualization Extension GA

workspace.

az desktopvirtualization workspace create Create a workspace. Extension GA

az desktopvirtualization workspace delete Delete a workspace. Extension GA

az desktopvirtualization workspace list List workspaces. Extension GA

az desktopvirtualization workspace show Show a workspace. Extension GA

az desktopvirtualization workspace Update a workspace. Extension GA

update
Az.DesktopVirtualization
Reference

Microsoft Azure PowerShell: DesktopVirtualization cmdlets

DesktopVirtualization
ﾉ Expand table

Disconnect-AzWvdUserSession Disconnect a userSession.

Expand-AzWvdMsixImage Expands and Lists MSIX packages in an Image, given

the Image Path.

Get-AzWvdAppAttachPackage Get an app attach package.

Get-AzWvdApplication Get an application.

Get-AzWvdApplicationGroup Get an application group.

Get-AzWvdDesktop Get a desktop.

Get-AzWvdHostPool Get a host pool.

Get-AzWvdHostPoolRegistrationToken Operation to list the RegistrationTokens associated

with the HostPool

Get-AzWvdMsixPackage Get a msixpackage.

Get-AzWvdPrivateEndpointConnection Get a private endpoint connection.

Get-AzWvdPrivateLinkResource List the private link resources available for this

workspace.

Get-AzWvdRegistrationInfo Get the Windows virtual desktop registration info.

Get-AzWvdScalingPlan Get a scaling plan.

Get-AzWvdScalingPlanPersonalSchedule Get a ScalingPlanPersonalSchedule.

Get-AzWvdScalingPlanPooledSchedule Get a ScalingPlanPooledSchedule.

Get-AzWvdSessionHost Get a session host.

Get-AzWvdStartMenuItem List start menu items in the given application group.

Get-AzWvdUserSession Get a userSession.

Get-AzWvdWorkspace Get a workspace.

Import-AzWvdAppAttachPackageInfo Gets information from a package given the path to

the package.

New-AzWvdAppAttachPackage create an App Attach package.

New-AzWvdApplication create an application.

New-AzWvdApplicationGroup create an applicationGroup.

New-AzWvdHostPool create a host pool.

New-AzWvdMsixPackage create a MSIX package.

New-AzWvdRegistrationInfo Create Windows virtual desktop registration info.

New-AzWvdScalingPlan create a scaling plan.

New-AzWvdScalingPlanPersonalSchedule create a ScalingPlanPersonalSchedule.

New-AzWvdScalingPlanPooledSchedule create a ScalingPlanPooledSchedule.

New-AzWvdWorkspace create a workspace.

Register-AzWvdApplicationGroup Register a Windows virtual desktop application group.

Remove-AzWvdAppAttachPackage Remove an App Attach Package.

Remove-AzWvdApplication Remove an application.

Remove-AzWvdApplicationGroup Remove an applicationGroup.

Remove-AzWvdHostPool Remove a host pool.

Remove-AzWvdMsixPackage Remove an MSIX Package.

Remove- Remove a connection.

AzWvdPrivateEndpointConnection

Remove-AzWvdRegistrationInfo Remove the Windows virtual desktop registration

info.

Remove-AzWvdScalingPlan Remove a scaling plan.

Remove- Remove a ScalingPlanPersonalSchedule.

AzWvdScalingPlanPersonalSchedule

Remove- Remove a ScalingPlanPooledSchedule.

AzWvdScalingPlanPooledSchedule

Remove-AzWvdSessionHost Remove a SessionHost.

Remove-AzWvdUserSession Remove a userSession.

Remove-AzWvdWorkspace Remove a workspace.

Send-AzWvdUserSessionMessage Send a message to a user.

Unregister-AzWvdApplicationGroup Unregister the Windows virtual desktop application

group.

Update-AzWvdAppAttachPackage update an App Attach Package

Update-AzWvdApplication update an application.

Update-AzWvdApplicationGroup update an applicationGroup.

Update-AzWvdDesktop update a desktop.

Update-AzWvdHostPool update a host pool.

Update-AzWvdMsixPackage update an MSIX Package.

Update-AzWvdScalingPlan update a scaling plan.

Update- update a ScalingPlanPersonalSchedule.

AzWvdScalingPlanPersonalSchedule

Update- update a ScalingPlanPooledSchedule.

AzWvdScalingPlanPooledSchedule

Update-AzWvdSessionHost update a session host.

Update-AzWvdWorkspace update a workspace.

Microsoft.DesktopVirtualization hostPools
Article • 08/30/2024

Bicep resource definition

The hostPools resource type can be deployed with operations that target:

Resource groups - See resource group deployment commands

For a list of changed properties in each API version, see change log.

Resource format
To create a Microsoft.DesktopVirtualization/hostPools resource, add the following Bicep to your template.

Bicep

resource symbolicname 'Microsoft.DesktopVirtualization/hostPools@2024-04-08-preview' = {

name: 'string'
location: 'string'
tags: {
tagName1: 'tagValue1'
tagName2: 'tagValue2'
}
sku: {
capacity: int
family: 'string'
name: 'string'
size: 'string'
tier: 'string'
}
kind: 'string'
identity: {
type: 'string'
userAssignedIdentities: {
{customized property}: {}
}
}
managedBy: 'string'
plan: {
name: 'string'
product: 'string'
promotionCode: 'string'
publisher: 'string'
version: 'string'
}
properties: {
agentUpdate: {
maintenanceWindows: [
{
dayOfWeek: 'string'
hour: int
}
]
maintenanceWindowTimeZone: 'string'
type: 'string'
useSessionHostLocalTime: bool
}
customRdpProperty: 'string'
description: 'string'
directUDP: 'string'
friendlyName: 'string'
hostPoolType: 'string'
loadBalancerType: 'string'
managedPrivateUDP: 'string'
managementType: 'string'
maxSessionLimit: int
personalDesktopAssignmentType: 'string'
preferredAppGroupType: 'string'
publicNetworkAccess: 'string'
publicUDP: 'string'
registrationInfo: {
expirationTime: 'string'
registrationTokenOperation: 'string'
 token: 'string'
}
relayUDP: 'string'
ring: int
ssoadfsAuthority: 'string'
ssoClientId: 'string'
ssoClientSecretKeyVaultPath: 'string'
ssoSecretType: 'string'
startVMOnConnect: bool
validationEnvironment: bool
vmTemplate: 'string'
}
}

Property values
hostPools
ﾉ Expand table

Name Description Value

name The resource name string (required)

Character limit: 3-64

Valid characters:
Alphanumerics, underscores, periods,
and hyphens.

Start with letter or number. End with

letter, number, or underscore.

location The geo-location where the resource lives string (required)

tags Resource tags. Dictionary of tag names and values.

See Tags in templates

sku The resource model definition representing SKU Sku

kind Metadata used by portal/tooling/etc to render different UX experiences for resources of the same string
type. E.g. ApiApps are a kind of Microsoft.Web/sites type. If supported, the resource provider must
validate and persist this value. Constraints:
Pattern = ^[-\w\._,\(\)]+$

identity Managed service identity (system assigned and/or user assigned identities) ManagedServiceIdentity

managedBy The fully qualified resource ID of the resource that manages this resource. Indicates if this resource is string
managed by another Azure resource. If this is present, complete mode deployment will not delete the
resource if it is removed from the template since it is managed by another resource.

plan Plan for the resource. Plan

properties Detailed properties for HostPool HostPoolProperties (required)

ManagedServiceIdentity
ﾉ Expand table

Name Description

type Type of managed service identity (where both SystemAssigned and UserAssigned types are allowed).

userAssignedIdentities The set of user assigned identities associated with the resource. The userAssignedIdentities dictionary keys will be ARM resource ids in the for
'/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identity
The dictionary values can be empty objects ({}) in requests.
ManagedServiceIdentityUserAssignedIdentities
ﾉ Expand table

Name Description Value

{customized property} UserAssignedIdentity

UserAssignedIdentity
This object doesn't contain any properties to set during deployment. All properties are ReadOnly.

Plan
ﾉ Expand table

Name Description Value

name A user defined name of the 3rd Party Artifact that is being procured. string
(required)

product The 3rd Party artifact that is being procured. E.g. NewRelic. Product maps to the OfferID specified for the artifact at the string
time of Data Market onboarding. (required)

promotionCode A publisher provided promotion code as provisioned in Data Market for the said product/artifact. string

publisher The publisher of the 3rd Party Artifact that is being bought. E.g. NewRelic string
(required)

version The version of the desired product/artifact. string

HostPoolProperties
ﾉ Expand table

Name Description Value

agentUpdate The session host configuration for updating agent, monitoring agent, and stack AgentUpdateProperties
component.

customRdpProperty Custom rdp property of HostPool. string

description Description of HostPool. string

directUDP Default: AVD-wide settings are used to determine connection availability, Enabled: UDP 'Default'
will attempt this connection type when making connections. This means that this 'Disabled'
connection is possible, but is not guaranteed, as there are other factors that may 'Enabled'
prevent this connection type, Disabled: UDP will not attempt this connection type when
making connections

friendlyName Friendly name of HostPool. string

hostPoolType HostPool type for desktop. 'BYODesktop'

'Personal'
'Pooled' (required)

loadBalancerType The type of the load balancer. 'BreadthFirst'

'DepthFirst'
'MultiplePersistent'
'Persistent' (required)

managedPrivateUDP Default: AVD-wide settings are used to determine connection availability, Enabled: UDP 'Default'
will attempt this connection type when making connections. This means that this 'Disabled'
connection is possible, but is not guaranteed, as there are other factors that may 'Enabled'
prevent this connection type, Disabled: UDP will not attempt this connection type when
making connections

managementType The type of management for this hostpool, Automated or Standard. The default value is 'Automated'
Automated. 'Standard'

maxSessionLimit The max session limit of HostPool. int

Name Description Value

personalDesktopAssignmentType PersonalDesktopAssignment type for HostPool. 'Automatic'

'Direct'

preferredAppGroupType The type of preferred application group type, default to Desktop Application Group 'Desktop'
'None'
'RailApplications' (required)

publicNetworkAccess Enabled allows this resource to be accessed from both public and private networks, 'Disabled'
Disabled allows this resource to only be accessed via private endpoints 'Enabled'
'EnabledForClientsOnly'
'EnabledForSessionHostsOnly'

publicUDP Default: AVD-wide settings are used to determine connection availability, Enabled: UDP 'Default'
will attempt this connection type when making connections. This means that this 'Disabled'
connection is possible, but is not guaranteed, as there are other factors that may 'Enabled'
prevent this connection type, Disabled: UDP will not attempt this connection type when
making connections

registrationInfo The registration info of HostPool. RegistrationInfo

relayUDP Default: AVD-wide settings are used to determine connection availability, Enabled: UDP 'Default'
will attempt this connection type when making connections. This means that this 'Disabled'
connection is possible, but is not guaranteed, as there are other factors that may 'Enabled'
prevent this connection type, Disabled: UDP will not attempt this connection type when
making connections

ring The ring number of HostPool. int

ssoadfsAuthority URL to customer ADFS server for signing WVD SSO certificates. string

ssoClientId ClientId for the registered Relying Party used to issue WVD SSO certificates. string

ssoClientSecretKeyVaultPath Path to Azure KeyVault storing the secret used for communication to ADFS. string

ssoSecretType The type of single sign on Secret Type. 'Certificate'

'CertificateInKeyVault'
'SharedKey'
'SharedKeyInKeyVault'

startVMOnConnect The flag to turn on/off StartVMOnConnect feature. bool

validationEnvironment Is validation environment. bool

vmTemplate VM template for sessionhosts configuration within hostpool. string

AgentUpdateProperties
ﾉ Expand table

Name Description Value

maintenanceWindows List of maintenance windows. Maintenance windows are 2 hours long. MaintenanceWindowProperties[]

maintenanceWindowTimeZone Time zone for maintenance as defined in string

/dotnet/api/system.timezoneinfo.findsystemtimezonebyid Must be set if useLocalTime
is true.

type The type of maintenance for session host components. 'Default'

'Scheduled'

useSessionHostLocalTime Whether to use localTime of the virtual machine. bool

MaintenanceWindowProperties
ﾉ Expand table

Name Description Value

dayOfWeek Day of the week. 'Friday'

'Monday'
'Saturday'
'Sunday'
 Name Description Value

'Thursday'
'Tuesday'
'Wednesday'

hour The update start hour of the day. (0 - 23) int

RegistrationInfo
ﾉ Expand table

Name Description Value

expirationTime Expiration time of registration token. string

registrationTokenOperation The type of resetting the token. 'Delete'

'None'
'Update'

token The registration token base64 encoded string. string

Sku
ﾉ Expand table

Name Description Value

capacity If the SKU supports scale out/in then the capacity integer should be included. If scale out/in is not possible for the resource this int
may be omitted.

family If the service has different generations of hardware, for the same SKU, then that can be captured here. string

name The name of the SKU. E.g. P3. It is typically a letter+number code string
(required)

size The SKU size. When the name field is the combination of tier and some other value, this would be the standalone code. string

tier This field is required to be implemented by the Resource Provider if the service has more than one tier, but is not required on a 'Basic'
PUT. 'Free'
'Premium'
'Standard'

Feedback
Was this page helpful?  Yes  No
Microsoft.DesktopVirtualization hostPools
Article • 08/30/2024

Bicep resource definition

The hostPools resource type can be deployed with operations that target:

Resource groups - See resource group deployment commands

For a list of changed properties in each API version, see change log.

Resource format
To create a Microsoft.DesktopVirtualization/hostPools resource, add the following Bicep to your template.

Bicep

resource symbolicname 'Microsoft.DesktopVirtualization/hostPools@2024-04-08-preview' = {

name: 'string'
location: 'string'
tags: {
tagName1: 'tagValue1'
tagName2: 'tagValue2'
}
sku: {
capacity: int
family: 'string'
name: 'string'
size: 'string'
tier: 'string'
}
kind: 'string'
identity: {
type: 'string'
userAssignedIdentities: {
{customized property}: {}
}
}
managedBy: 'string'
plan: {
name: 'string'
product: 'string'
promotionCode: 'string'
publisher: 'string'
version: 'string'
}
properties: {
agentUpdate: {
maintenanceWindows: [
{
dayOfWeek: 'string'
hour: int
}
]
maintenanceWindowTimeZone: 'string'
type: 'string'
useSessionHostLocalTime: bool
}
customRdpProperty: 'string'
description: 'string'
directUDP: 'string'
friendlyName: 'string'
hostPoolType: 'string'
loadBalancerType: 'string'
managedPrivateUDP: 'string'
managementType: 'string'
maxSessionLimit: int
personalDesktopAssignmentType: 'string'
preferredAppGroupType: 'string'
publicNetworkAccess: 'string'
publicUDP: 'string'
registrationInfo: {
expirationTime: 'string'
registrationTokenOperation: 'string'
 token: 'string'
}
relayUDP: 'string'
ring: int
ssoadfsAuthority: 'string'
ssoClientId: 'string'
ssoClientSecretKeyVaultPath: 'string'
ssoSecretType: 'string'
startVMOnConnect: bool
validationEnvironment: bool
vmTemplate: 'string'
}
}

Property values
hostPools
ﾉ Expand table

Name Description Value

name The resource name string (required)

Character limit: 3-64

Valid characters:
Alphanumerics, underscores, periods,
and hyphens.

Start with letter or number. End with

letter, number, or underscore.

location The geo-location where the resource lives string (required)

tags Resource tags. Dictionary of tag names and values.

See Tags in templates

sku The resource model definition representing SKU Sku

kind Metadata used by portal/tooling/etc to render different UX experiences for resources of the same string
type. E.g. ApiApps are a kind of Microsoft.Web/sites type. If supported, the resource provider must
validate and persist this value. Constraints:
Pattern = ^[-\w\._,\(\)]+$

identity Managed service identity (system assigned and/or user assigned identities) ManagedServiceIdentity

managedBy The fully qualified resource ID of the resource that manages this resource. Indicates if this resource is string
managed by another Azure resource. If this is present, complete mode deployment will not delete the
resource if it is removed from the template since it is managed by another resource.

plan Plan for the resource. Plan

properties Detailed properties for HostPool HostPoolProperties (required)

ManagedServiceIdentity
ﾉ Expand table

Name Description

type Type of managed service identity (where both SystemAssigned and UserAssigned types are allowed).

userAssignedIdentities The set of user assigned identities associated with the resource. The userAssignedIdentities dictionary keys will be ARM resource ids in the for
'/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identity
The dictionary values can be empty objects ({}) in requests.
ManagedServiceIdentityUserAssignedIdentities
ﾉ Expand table

Name Description Value

{customized property} UserAssignedIdentity

UserAssignedIdentity
This object doesn't contain any properties to set during deployment. All properties are ReadOnly.

Plan
ﾉ Expand table

Name Description Value

name A user defined name of the 3rd Party Artifact that is being procured. string
(required)

product The 3rd Party artifact that is being procured. E.g. NewRelic. Product maps to the OfferID specified for the artifact at the string
time of Data Market onboarding. (required)

promotionCode A publisher provided promotion code as provisioned in Data Market for the said product/artifact. string

publisher The publisher of the 3rd Party Artifact that is being bought. E.g. NewRelic string
(required)

version The version of the desired product/artifact. string

HostPoolProperties
ﾉ Expand table

Name Description Value

agentUpdate The session host configuration for updating agent, monitoring agent, and stack AgentUpdateProperties
component.

customRdpProperty Custom rdp property of HostPool. string

description Description of HostPool. string

directUDP Default: AVD-wide settings are used to determine connection availability, Enabled: UDP 'Default'
will attempt this connection type when making connections. This means that this 'Disabled'
connection is possible, but is not guaranteed, as there are other factors that may 'Enabled'
prevent this connection type, Disabled: UDP will not attempt this connection type when
making connections

friendlyName Friendly name of HostPool. string

hostPoolType HostPool type for desktop. 'BYODesktop'

'Personal'
'Pooled' (required)

loadBalancerType The type of the load balancer. 'BreadthFirst'

'DepthFirst'
'MultiplePersistent'
'Persistent' (required)

managedPrivateUDP Default: AVD-wide settings are used to determine connection availability, Enabled: UDP 'Default'
will attempt this connection type when making connections. This means that this 'Disabled'
connection is possible, but is not guaranteed, as there are other factors that may 'Enabled'
prevent this connection type, Disabled: UDP will not attempt this connection type when
making connections

managementType The type of management for this hostpool, Automated or Standard. The default value is 'Automated'
Automated. 'Standard'

maxSessionLimit The max session limit of HostPool. int

Name Description Value

personalDesktopAssignmentType PersonalDesktopAssignment type for HostPool. 'Automatic'

'Direct'

preferredAppGroupType The type of preferred application group type, default to Desktop Application Group 'Desktop'
'None'
'RailApplications' (required)

publicNetworkAccess Enabled allows this resource to be accessed from both public and private networks, 'Disabled'
Disabled allows this resource to only be accessed via private endpoints 'Enabled'
'EnabledForClientsOnly'
'EnabledForSessionHostsOnly'

publicUDP Default: AVD-wide settings are used to determine connection availability, Enabled: UDP 'Default'
will attempt this connection type when making connections. This means that this 'Disabled'
connection is possible, but is not guaranteed, as there are other factors that may 'Enabled'
prevent this connection type, Disabled: UDP will not attempt this connection type when
making connections

registrationInfo The registration info of HostPool. RegistrationInfo

relayUDP Default: AVD-wide settings are used to determine connection availability, Enabled: UDP 'Default'
will attempt this connection type when making connections. This means that this 'Disabled'
connection is possible, but is not guaranteed, as there are other factors that may 'Enabled'
prevent this connection type, Disabled: UDP will not attempt this connection type when
making connections

ring The ring number of HostPool. int

ssoadfsAuthority URL to customer ADFS server for signing WVD SSO certificates. string

ssoClientId ClientId for the registered Relying Party used to issue WVD SSO certificates. string

ssoClientSecretKeyVaultPath Path to Azure KeyVault storing the secret used for communication to ADFS. string

ssoSecretType The type of single sign on Secret Type. 'Certificate'

'CertificateInKeyVault'
'SharedKey'
'SharedKeyInKeyVault'

startVMOnConnect The flag to turn on/off StartVMOnConnect feature. bool

validationEnvironment Is validation environment. bool

vmTemplate VM template for sessionhosts configuration within hostpool. string

AgentUpdateProperties
ﾉ Expand table

Name Description Value

maintenanceWindows List of maintenance windows. Maintenance windows are 2 hours long. MaintenanceWindowProperties[]

maintenanceWindowTimeZone Time zone for maintenance as defined in string

/dotnet/api/system.timezoneinfo.findsystemtimezonebyid Must be set if useLocalTime
is true.

type The type of maintenance for session host components. 'Default'

'Scheduled'

useSessionHostLocalTime Whether to use localTime of the virtual machine. bool

MaintenanceWindowProperties
ﾉ Expand table

Name Description Value

dayOfWeek Day of the week. 'Friday'

'Monday'
'Saturday'
'Sunday'
 Name Description Value

'Thursday'
'Tuesday'
'Wednesday'

hour The update start hour of the day. (0 - 23) int

RegistrationInfo
ﾉ Expand table

Name Description Value

expirationTime Expiration time of registration token. string

registrationTokenOperation The type of resetting the token. 'Delete'

'None'
'Update'

token The registration token base64 encoded string. string

Sku
ﾉ Expand table

Name Description Value

capacity If the SKU supports scale out/in then the capacity integer should be included. If scale out/in is not possible for the resource this int
may be omitted.

family If the service has different generations of hardware, for the same SKU, then that can be captured here. string

name The name of the SKU. E.g. P3. It is typically a letter+number code string
(required)

size The SKU size. When the name field is the combination of tier and some other value, this would be the standalone code. string

tier This field is required to be implemented by the Resource Provider if the service has more than one tier, but is not required on a 'Basic'
PUT. 'Free'
'Premium'
'Standard'

Feedback
Was this page helpful?  Yes  No
Microsoft.DesktopVirtualization hostPools
Article • 08/30/2024

Terraform (AzAPI provider) resource definition

The hostPools resource type can be deployed with operations that target:

Resource groups

For a list of changed properties in each API version, see change log.

Resource format
To create a Microsoft.DesktopVirtualization/hostPools resource, add the following Terraform to your template.

Terraform

resource "azapi_resource" "symbolicname" {

type = "Microsoft.DesktopVirtualization/hostPools@2024-04-08-preview"
name = "string"
location = "string"
parent_id = "string"
tags = {
tagName1 = "tagValue1"
tagName2 = "tagValue2"
}
identity {
type = "string"
identity_ids = []
}
body = jsonencode({
properties = {
agentUpdate = {
maintenanceWindows = [
{
dayOfWeek = "string"
hour = int
}
]
maintenanceWindowTimeZone = "string"
type = "string"
useSessionHostLocalTime = bool
}
customRdpProperty = "string"
description = "string"
directUDP = "string"
friendlyName = "string"
hostPoolType = "string"
loadBalancerType = "string"
managedPrivateUDP = "string"
managementType = "string"
maxSessionLimit = int
personalDesktopAssignmentType = "string"
preferredAppGroupType = "string"
publicNetworkAccess = "string"
publicUDP = "string"
registrationInfo = {
expirationTime = "string"
registrationTokenOperation = "string"
token = "string"
}
relayUDP = "string"
ring = int
ssoadfsAuthority = "string"
ssoClientId = "string"
ssoClientSecretKeyVaultPath = "string"
ssoSecretType = "string"
startVMOnConnect = bool
validationEnvironment = bool
vmTemplate = "string"
}
sku = {
capacity = int
family = "string"
 name = "string"
size = "string"
tier = "string"
}
kind = "string"
managedBy = "string"
plan = {
name = "string"
product = "string"
promotionCode = "string"
publisher = "string"
version = "string"
}
})
}

Property values
hostPools
ﾉ Expand table

Name Description Value

type The resource type "Microsoft.DesktopVirtualization/hostPools@2024-04-

08-preview"

name The resource name string (required)

Character limit: 3-64

Valid characters:
Alphanumerics, underscores, periods, and hyphens.

Start with letter or number. End with letter, number, or

underscore.

location The geo-location where the resource lives string (required)

parent_id To deploy to a resource group, use the ID of that resource group. string (required)

tags Resource tags. Dictionary of tag names and values.

sku The resource model definition representing SKU Sku

kind Metadata used by portal/tooling/etc to render different UX experiences for string

resources of the same type. E.g. ApiApps are a kind of Microsoft.Web/sites type. If
supported, the resource provider must validate and persist this value. Constraints:
Pattern = ^[-\w\._,\(\)]+$

identity Managed service identity (system assigned and/or user assigned identities) ManagedServiceIdentity

managedBy The fully qualified resource ID of the resource that manages this resource. Indicates string
if this resource is managed by another Azure resource. If this is present, complete
mode deployment will not delete the resource if it is removed from the template
since it is managed by another resource.

plan Plan for the resource. Plan

properties Detailed properties for HostPool HostPoolProperties (required)

ManagedServiceIdentity
ﾉ Expand table

Name Description V

type Type of managed service identity (where both SystemAssigned and UserAssigned types are allowed). "
"
"
 Name Description V

identity_ids The set of user assigned identities associated with the resource. The userAssignedIdentities dictionary keys will be ARM resource ids in the form: A
'/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}.
The dictionary values can be empty objects ({}) in requests.

ManagedServiceIdentityUserAssignedIdentities
ﾉ Expand table

Name Description Value

{customized property} UserAssignedIdentity

UserAssignedIdentity
This object doesn't contain any properties to set during deployment. All properties are ReadOnly.

Plan
ﾉ Expand table

Name Description Value

name A user defined name of the 3rd Party Artifact that is being procured. string
(required)

product The 3rd Party artifact that is being procured. E.g. NewRelic. Product maps to the OfferID specified for the artifact at the string
time of Data Market onboarding. (required)

promotionCode A publisher provided promotion code as provisioned in Data Market for the said product/artifact. string

publisher The publisher of the 3rd Party Artifact that is being bought. E.g. NewRelic string
(required)

version The version of the desired product/artifact. string

HostPoolProperties
ﾉ Expand table

Name Description Value

agentUpdate The session host configuration for updating agent, monitoring agent, and stack AgentUpdateProperties
component.

customRdpProperty Custom rdp property of HostPool. string

description Description of HostPool. string

directUDP Default: AVD-wide settings are used to determine connection availability, Enabled: UDP "Default"
will attempt this connection type when making connections. This means that this "Disabled"
connection is possible, but is not guaranteed, as there are other factors that may "Enabled"
prevent this connection type, Disabled: UDP will not attempt this connection type when
making connections

friendlyName Friendly name of HostPool. string

hostPoolType HostPool type for desktop. "BYODesktop"

"Personal"
"Pooled" (required)

loadBalancerType The type of the load balancer. "BreadthFirst"

"DepthFirst"
"MultiplePersistent"
"Persistent" (required)
Name
managedPrivateUDP
managementType
maxSessionLimit
personalDesktopAssignmentType
preferredAppGroupType
publicNetworkAccess
publicUDP
registrationInfo
relayUDP
ring
ssoadfsAuthority
ssoClientId
ssoClientSecretKeyVaultPath
ssoSecretType
startVMOnConnect
validationEnvironment
vmTemplate
AgentUpdateProperties
Name
maintenanceWindows
maintenanceWindowTimeZone
type
useSessionHostLocalTime
Description Value
Default: AVD-wide settings are used to determine connection availability, Enabled: UDP "Default"
will attempt this connection type when making connections. This means that this "Disabled"
connection is possible, but is not guaranteed, as there are other factors that may "Enabled"
prevent this connection type, Disabled: UDP will not attempt this connection type when
making connections
The type of management for this hostpool, Automated or Standard. The default value "Automated"
is Automated. "Standard"
The max session limit of HostPool. int
PersonalDesktopAssignment type for HostPool. "Automatic"
"Direct"
The type of preferred application group type, default to Desktop Application Group "Desktop"
"None"
"RailApplications" (required)
Enabled allows this resource to be accessed from both public and private networks, "Disabled"
Disabled allows this resource to only be accessed via private endpoints "Enabled"
"EnabledForClientsOnly"
"EnabledForSessionHostsOnly"
Default: AVD-wide settings are used to determine connection availability, Enabled: UDP "Default"
will attempt this connection type when making connections. This means that this "Disabled"
connection is possible, but is not guaranteed, as there are other factors that may "Enabled"
prevent this connection type, Disabled: UDP will not attempt this connection type when
making connections
The registration info of HostPool. RegistrationInfo
Default: AVD-wide settings are used to determine connection availability, Enabled: UDP "Default"
will attempt this connection type when making connections. This means that this "Disabled"
connection is possible, but is not guaranteed, as there are other factors that may "Enabled"
prevent this connection type, Disabled: UDP will not attempt this connection type when
making connections
The ring number of HostPool. int
URL to customer ADFS server for signing WVD SSO certificates. string
ClientId for the registered Relying Party used to issue WVD SSO certificates. string
Path to Azure KeyVault storing the secret used for communication to ADFS. string
The type of single sign on Secret Type. "Certificate"
"CertificateInKeyVault"
"SharedKey"
"SharedKeyInKeyVault"
The flag to turn on/off StartVMOnConnect feature. bool
Is validation environment. bool
VM template for sessionhosts configuration within hostpool. string
ﾉ Expand table
Description Value
List of maintenance windows. Maintenance windows are 2 hours long. MaintenanceWindowProperties[]
Time zone for maintenance as defined in string
/dotnet/api/system.timezoneinfo.findsystemtimezonebyid Must be set if useLocalTime
is true.
The type of maintenance for session host components. "Default"
"Scheduled"
Whether to use localTime of the virtual machine. bool
MaintenanceWindowProperties
ﾉ Expand table

Name Description Value

dayOfWeek Day of the week. "Friday"

"Monday"
"Saturday"
"Sunday"
"Thursday"
"Tuesday"
"Wednesday"

hour The update start hour of the day. (0 - 23) int

RegistrationInfo
ﾉ Expand table

Name Description Value

expirationTime Expiration time of registration token. string

registrationTokenOperation The type of resetting the token. "Delete"

"None"
"Update"

token The registration token base64 encoded string. string

Sku
ﾉ Expand table

Name Description Value

capacity If the SKU supports scale out/in then the capacity integer should be included. If scale out/in is not possible for the resource this int
may be omitted.

family If the service has different generations of hardware, for the same SKU, then that can be captured here. string

name The name of the SKU. E.g. P3. It is typically a letter+number code string
(required)

size The SKU size. When the name field is the combination of tier and some other value, this would be the standalone code. string

tier This field is required to be implemented by the Resource Provider if the service has more than one tier, but is not required on a "Basic"
PUT. "Free"
"Premium"
"Standard"

Feedback
Was this page helpful?  Yes  No
Azure Virtual Desktop
Article • 10/31/2023

Azure Virtual Desktop is a comprehensive desktop and app virtualization service running
in the cloud. It is the only virtual desktop infrastructure (VDI) that delivers simplified
management, multi-session Windows 10, optimizations for Microsoft 365 Apps for
enterprise. Deploy and scale your Windows desktops and apps on Azure in minutes, and
get built-in security and compliance features. The Desktop Virtualization APIs allow you
to create and manage your Azure Virtual Desktop environment programmatically. For
more information about Azure Virtual Desktop, see documentation.
MSIXMGR tool parameters
Article • 03/05/2024

This article contains the command line parameters and syntax you can use with the
MSIXMGR tool.

Prerequisites
To use the MSIXMGR tool, you need:

Download the MSIXMGR tool .

Get an MSIX-packaged application ( .msix file).
A Windows device with administrative permissions to create the MSIX image.

-AddPackage
Add the package at specified file path.

-AddPackage <Path to the MSIX package>

or

-p <Path to the MSIX package>

Here's an example of using the -AddPackage parameter:

Windows Command Prompt

msixmgr.exe -AddPackage "C:\MSIX\myapp.msix"

-RemovePackage
Remove the package with specified package full name.
 -RemovePackage <Package name>

or

-x <Package name>

Here's an example of using the -RemovePackage parameter. You can find the package full
name by running the PowerShell cmdlet Get-AppxPackage.

Windows Command Prompt

msixmgr.exe -RemovePackage myapp_0.0.0.1_x64__8wekyb3d8bbwe

-FindPackage
Find a package with specific package full name.

-FindPackage <Package name>

Here's an example of using the -FindPackage parameter. You can find the package full
name by running the PowerShell cmdlet Get-AppxPackage.

Windows Command Prompt

msixmgr.exe -FindPackage myapp_0.0.0.1_x64__8wekyb3d8bbwe

-ApplyACLs
Apply ACLs to a package folder (an unpacked package). You also need to specify the
following required subparameters:

ﾉ Expand table
 Required Description
parameter

-packagePath The path to the package to unpack OR the path to a directory containing
multiple packages to unpack

-ApplyACLs -packagePath <Path to the package folder>

Here's an example of using the -ApplyACLs parameter:

Windows Command Prompt

msixmgr.exe -ApplyACLs -packagePath

"C:\MSIX\myapp_0.0.0.1_x64__8wekyb3d8bbwe"

-Unpack
Unpack a package in one of the file formats .appx , .msix , .appxbundle , or .msixbundle ,
and extract its contents to a folder. You also need to specify the following required
subparameters:

ﾉ Expand table

Required Description
parameter

-destination The directory to place the resulting package folder(s) in.

-fileType The type of file to unpack packages to. Valid file types include .vhd , .vhdx ,
.cim . This parameter is only required when unpacking to CIM files.

-packagePath The path to the package to unpack OR the path to a directory containing
multiple packages to unpack.

-rootDirectory Specifies root directory on image to unpack packages to. This parameter is
only required when unpacking to new and existing CIM files.

-Unpack -packagePath <Path to package to unpack OR path to a directory

containing multiple packages to unpack> -destination <Directory to place the
resulting package folder(s) in> -fileType <VHD | VHDX | CIM> -rootDirectory
<Root directory on image to unpack packages to>
Here's some examples of using the -Unpack parameter:

To unpack a package into a directory:

Windows Command Prompt

msixmgr.exe -Unpack -packagePath "C:\MSIX\myapp.msix" -destination

"C:\Apps\myapp"

To unpack a package into a VHDX disk image:

Windows Command Prompt

msixmgr.exe -Unpack -packagePath "C:\MSIX\myapp.msix" -destination

"C:\Apps\myapp\myapp.vhdx" -applyACLs -create -filetype VHDX -
rootDirectory apps

To unpack a package into a CIM disk image:

Windows Command Prompt

msixmgr.exe -Unpack -packagePath "C:\MSIX\myapp.msix" -destination

"C:\Apps\myapp\myapp.cim" -applyACLs -create -filetype CIM -
rootDirectory apps

Here are the optional parameters you can use with the -Unpack parameter:

ﾉ Expand table

Optional Description Example

parameter

-applyACLs Applies ACLs to the resulting msixmgr.exe -Unpack -packagePath

package folder(s) and their parent "C:\MSIX\myapp.msix" -destination
folder. "C:\Apps\myapp" -applyACLs

-create Creates a new image with the msixmgr.exe -Unpack -packagePath

specified file type and unpacks the "C:\MSIX\myapp.msix" -destination
packages to that image. Requires "C:\Apps\myapp" -applyACLs -create -
the -filetype parameter. fileType VHDX

-fileType The type of file to unpack msixmgr.exe -Unpack -packagePath

packages to. Valid file types "C:\MSIX\myapp.msix" -destination
include VHD , VHDX , CIM . This "C:\Apps\myapp" -applyACLs -create -
parameter is required when fileType CIM -rootDirectory apps
 Optional Description Example
parameter

unpacking to CIM files. Requires

the -create parameter.

-rootDirectory Specifies the root directory on msixmgr.exe -Unpack -packagePath

image to unpack packages to. This "C:\MSIX\myapp.msix" -destination
parameter is required when "C:\Apps\myapp" -applyACLs -create -
unpacking to new and existing filetype CIM -rootDirectory apps
CIM files.

- Validates a package's signature file msixmgr.exe -Unpack -packagePath

validateSignature before unpacking package. This "C:\MSIX\myapp.msix" -destination
parameter requires that the "C:\Apps\Myapp" -validateSignature -
package's certificate is installed on applyACLs
the machine.

For more information, see

Certificate Stores.

-vhdSize The desired size of the .vhd or msixmgr.exe -Unpack -packagePath

.vhdx file in MB. Must be between
5 MB and 2040000 MB. Use only
for .vhd or .vhdx files. Requires
the -create and -filetype
parameters.
"C:\MSIX\myapp.msix" -destination
"C:\Apps\myapp" -create -fileType
VHDX -vhdSize 500

-MountImage
Mount a VHD, VHDX, or CIM image. You also need to specify the following required
subparameters:

ﾉ Expand table

Required Description
parameter

-fileType The type of file to unpack packages to. Valid file types include VHD , VHDX ,
CIM .

-imagePath The path to the image file to mount.

-MountImage -imagePath <Path to the MSIX image> -fileType <VHD | VHDX | CIM>
Here's an example of using the -MountImage parameter:

Windows Command Prompt

msixmgr.exe -MountImage -imagePath "C:\MSIX\myapp.cim" -fileType CIM

Here are the optional parameters you can use with the -MountImage parameter:

ﾉ Expand table

Optional Description Example

parameter

-readOnly Boolean (true of false) indicating whether msixmgr.exe -MountImage -

the image should be mounted as read imagePath "C:\MSIX\myapp.cim" -
only. If not specified, the image is mounted filetype CIM -readOnly false
as read-only by default.

-UnmountImage
Unmount a VHD, VHDX, or CIM image. You also need to specify the following required
subparameters:

ﾉ Expand table

Required Description
parameter

-fileType The type of file to unpack packages to. Valid file types include VHD , VHDX ,
CIM .

-imagePath The path to the image file to mount.

-UnmountImage -imagePath <Path to the MSIX image> -fileType <VHD | VHDX |

CIM>

Here's an example of using the -UnmountImage parameter:

Windows Command Prompt

msixmgr.exe -UnmountImage -imagePath "C:\MSIX\myapp.vhdx" -fileType VHDX

Here are the optional parameters you can use with the -UnmountImage parameter:

ﾉ Expand table

Optional Description Example

parameter

-volumeId The GUID of the volume (specified without curly msixmgr.exe -UnmountImage
braces) associated with the image to unmount. This -volumeId 199a2f93-99a8-
parameter is optional only for CIM files. You can 11ee-9b0d-4c445b63adac -
find volume ID by running the PowerShell cmdlet filetype CIM
Get-Volume.

-quietUX
Suppresses user interaction when running the MSIXMGR tool. This parameter is optional
and can be used with any other parameter.

Here's an example of using the -quietUX parameter with the -AddPackage parameter:

Windows Command Prompt

msixmgr.exe -AddPackage "C:\MSIX\myapp.msix" -quietUX

Next steps
To learn more about MSIX app attach, check out these articles:

Create an MSIX image to use with app attach

What's new in the MSIXMGR tool
App attach and MSIX app attach
Add and manage app attach and MSIX app attach applications
Test MSIX packages for app attach
Migrate end-user desktops to Azure
Virtual Desktop
Article • 03/07/2024

Migrating an organization's end-user desktops to the cloud is a common scenario in

cloud migrations. Doing so helps improve employee productivity and accelerate the
migration of various workloads to support the organization's user experience.

Components of the scenario

This scenario is designed to guide the end-to-end customer journey, throughout the
cloud adoption lifecycle. Completing the journey requires a few key guidance sets:

Cloud Adoption Framework: These articles walk through the considerations and
recommendations of each CAF methodology. Use these articles to prepare
decision makers, central IT, and the cloud center of excellence for adoption of
Azure Virtual Desktop as a central part of your technology strategy.
Reference architectures: These reference solutions aid in accelerating deployment
of Azure Virtual Desktop.
Featured Azure products: Learn more about the products that support your virtual
desktop strategy in Azure.
Training modules: Gain the hands-on skills required to implement, maintain, and
support an Azure Virtual Desktop environment.

Common customer journeys

Azure Virtual Desktop reference architecture: The Azure Virtual Desktop reference
architecture demonstrates how to deploy a proven architecture for Azure Virtual
Desktop in your environment. This architecture is a suggested starting point for
Azure Virtual Desktop.

Migrate existing virtual desktops to Azure: A common use case for Azure Virtual
Desktop is to modernize an existing virtual desktop environment. While the
process can vary, there are several components to a successful migration, like
session hosts, user profiles, images, and applications. If you're migrating existing
VMs, you can review articles on migration to learn how tools like Azure Migrate
can speed up your migration as part of a standard migration process. However,
your migration might consist of bringing your golden image into Azure and
provisioning a new Azure Virtual Desktop host pool with new session hosts. You
 can migrate your existing user profiles into Azure and build new host pools and
session hosts as well. A final migration scenario might include migrating your
applications into MSIX app attach format. For all of these migration scenarios, you
need to provision a new host pool because there's currently no direct migration of
other virtual desktop infrastructure (VDI) solutions into Azure Virtual Desktop.

Prepare for governance and operations at scale: Enterprise-scale support for

Azure Virtual Desktop demonstrates how you can use enterprise-scale landing
zones to ensure consistent governance, security, and operations across multiple
landing zones for centralized management of virtual desktop environments.

Implement specific Azure products: Accelerate and improve virtual desktop

capabilities using different Azure products outlined in the featured products
section.

Next steps
The following list of articles will take you to guidance at specific points in the cloud
adoption journey to help you be successful in the cloud adoption scenario.

Strategy for Azure Virtual Desktop

Plan for Azure Virtual Desktop
Migrate to Azure Virtual Desktop
Manage an Azure Virtual Desktop environment
Govern an Azure Virtual Desktop environment

Feedback
Was this page helpful?  Yes  No
Azure Virtual Desktop for the
enterprise
Microsoft Entra ID Microsoft Entra Azure Virtual Network Azure Virtual Desktop

Azure Virtual Desktop is a desktop and application virtualization service that runs in
Azure. This article is intended to help desktop infrastructure architects, cloud architects,
desktop administrators, and system administrators explore Azure Virtual Desktop and
build virtualized desktop infrastructure (virtual desktop infrastructure (VDI)) solutions at
enterprise scale. Enterprise-scale solutions generally cover 1,000 or more virtual
desktops.

Architecture
A typical architectural setup for Azure Virtual Desktop is illustrated in the following
diagram:

Download a Visio file of this architecture.

Dataflow
The diagram's dataflow elements are described here:

The application endpoints are in a customer's on-premises network. Azure

ExpressRoute extends the on-premises network into Azure, and Microsoft Entra
Connect integrates the customer's Active Directory Domain Services (AD DS) with
Microsoft Entra ID.
 The Azure Virtual Desktop control plane handles web access, gateway, broker,
diagnostics, and extensibility components such as REST APIs.

The customer manages AD DS and Microsoft Entra ID, Azure subscriptions, virtual
networks, Azure Files or Azure NetApp Files, and the Azure Virtual Desktop host
pools and workspaces.

To increase capacity, the customer uses two Azure subscriptions in a hub-spoke

architecture and connects them via virtual network peering.

For more information about FSLogix Profile Container - Azure Files and Azure NetApp
Files best practices, see FSLogix configuration examples.

Components
Azure Virtual Desktop service architecture is similar to Windows Server Remote Desktop
Services (RDS). Although Microsoft manages the infrastructure and brokering
components, enterprise customers manage their own desktop host virtual machines
(VMs), data, and clients.

Components that Microsoft manages

Microsoft manages the following Azure Virtual Desktop services, as part of Azure:

Web Access: By using the Web Access service within Azure Virtual Desktop you can
access virtual desktops and remote apps through an HTML5-compatible web
browser just as you would with a local PC, from anywhere and on any device. You
can secure web access by using multifactor authentication in Microsoft Entra ID.

Gateway: The Remote Connection Gateway service connects remote users to Azure
Virtual Desktop apps and desktops from any internet-connected device that can
run an Azure Virtual Desktop client. The client connects to a gateway, which then
orchestrates a connection from a VM back to the same gateway.

Connection Broker: The Connection Broker service manages user connections to

virtual desktops and remote apps. Connection Broker provides load balancing and
reconnection to existing sessions.

Diagnostics: Remote Desktop Diagnostics is an event-based aggregator that marks

each user or administrator action on the Azure Virtual Desktop deployment as a
success or failure. Administrators can query the event aggregation to identify
failing components.
 Extensibility components: Azure Virtual Desktop includes several extensibility
components. You can manage Azure Virtual Desktop by using Windows PowerShell
or with the provided REST APIs, which also enable support from third-party tools.

Components that you manage

You manage the following components of Azure Virtual Desktop solutions:

Azure Virtual Network: With Azure Virtual Network , Azure resources such as
VMs can communicate privately with each other and with the internet. By
connecting Azure Virtual Desktop host pools to an Active Directory domain, you
can define network topology to access virtual desktops and virtual apps from the
intranet or internet, based on organizational policy. You can connect an Azure
Virtual Desktop instance to an on-premises network by using a virtual private
network (VPN), or you can use Azure ExpressRoute to extend the on-premises
network into Azure over a private connection.

Microsoft Entra ID: Azure Virtual Desktop uses Microsoft Entra ID for identity
and access management. Microsoft Entra integration applies Microsoft Entra
security features, such as conditional access, multifactor authentication, and
Intelligent Security Graph , and it helps maintain app compatibility in domain-
joined VMs.

Active Directory Domain Services (Optional): Azure Virtual Desktop VMs can
either be domain joined to an AD DS service or use Deploy Microsoft Entra
joined virtual machines in Azure Virtual Desktop
When using an AD DS domain, the domain must be in sync with Microsoft Entra
ID to associate users between the two services. You can use Microsoft Entra
Connect to associate AD DS with Microsoft Entra ID.
When using Microsoft Entra join, review the supported configurations to ensure
your scenario is supported.

Azure Virtual Desktop session hosts: Session hosts are VMs that users connect to
for their desktops and applications. Several versions of Windows are supported
and you can create images with your applications and customizations. You can
choose VM sizes, including GPU-enabled VMs. Each session host has an Azure
Virtual Desktop host agent, which registers the VM as part of the Azure Virtual
Desktop workspace or tenant. Each host pool can have one or more app groups,
which are collections of remote applications or desktop sessions that you can
access. To see which versions of Windows are supported, see Operating systems
and licenses.
 Azure Virtual Desktop workspace: The Azure Virtual Desktop workspace or tenant
is a management construct for managing and publishing host pool resources.

Scenario details

Potential use cases

The greatest demand for enterprise virtual desktop solutions comes from:

Security and regulation applications, such as financial services, healthcare, and

government.

Elastic workforce needs, such as remote work, mergers and acquisitions, short-term
employees, contractors, and partner access.

Specific employees, such as bring your own device (BYOD) and mobile users, call
centers, and branch workers.

Specialized workloads, such as design and engineering, legacy apps, and software
development testing.

Personal and pooled desktops

By using personal desktop solutions, sometimes called persistent desktops, users can
always connect to the same specific session host. Users can ordinarily modify their
desktop experience to meet personal preferences, and they can save files in the desktop
environment. Personal desktop solutions:

Let users customize their desktop environment, including user-installed

applications, and users can save files within the desktop environment.
Allow assigning dedicated resources to specific users, which can be helpful for
some manufacturing or development use cases.

Pooled desktop solutions, also called non-persistent desktops, assign users to whichever
session host is currently available, depending on the load-balancing algorithm. Because
users don't always return to the same session host each time they connect, they have
limited ability to customize the desktop environment and don't usually have
administrator access.

７ Note
 Persistent and non-persistent terminology in this case is in reference to the
persistence of the user profile. It does not imply that the operating system disk
reverts to a golden image or discards changes on reboot.

Windows servicing
There are several options for updating Azure Virtual Desktop instances. Deploying an
updated image every month guarantees compliance and state.

Microsoft Endpoint Configuration Manager (MECM) updates server and desktop

operating systems.
Windows Updates for Business updates desktop operating systems such as
Windows 10 Enterprise multi-session.
Azure Update Management updates server operating systems.
Azure Log Analytics checks compliance.
Deploy a new (custom) image to session hosts every month for the latest Windows
and applications updates. You can use an image from Azure Marketplace or a
custom Azure-managed image.

Relationships between key logical components

The relationships between host pools, workspaces, and other key logical components
vary. They're summarized in the following diagram:
The numbers in the following descriptions correspond to those in the preceding diagram.

(1) An application group that contains a published desktop can only contain MSIX
packages mounted to the host pool (the packages will be available in the Start
menu of the session host), it can't contain any other published resources and is
called a desktop application group.
(2) Application groups assigned to the same host pool must be members of the
same workspace.
 (3) A user account can be assigned to an application group either directly or via a
Microsoft Entra group. It's possible to assign no users to an application group, but
then it can't service any.
(4) It's possible to have an empty workspace, but it can't service users.
(5) It's possible to have an empty host pool, but it can't service users.
(6) It's possible for a host pool not to have any application groups assigned to it
but it can't service users.
(7) Microsoft Entra ID is required for Azure Virtual Desktop. This is because
Microsoft Entra user accounts and groups must always be used to assign users to
Azure Virtual Desktop application groups. Microsoft Entra ID is also used to
authenticate users into the Azure Virtual Desktop service. Azure Virtual Desktop
session hosts can also be members of a Microsoft Entra domain, and in this
situation the Azure Virtual Desktop-published applications and desktop sessions
will also be launched and run (not just assigned) by using Microsoft Entra
accounts.
(7) Alternatively, Azure Virtual Desktop session hosts can be members of an AD
DS domain, and in this situation the Azure Virtual Desktop-published
applications and desktop sessions will be launched and run (but not assigned)
by using AD DS accounts. To reduce user and administrative overhead, AD DS
can be synchronized with Microsoft Entra ID through Microsoft Entra Connect.
(7) Finally, Azure Virtual Desktop session hosts can, instead, be members of a
Microsoft Entra Domain Services domain, and in this situation the Azure Virtual
Desktop-published applications and desktop sessions will be launched and run
(but not assigned) by using Microsoft Entra Domain Services accounts.
Microsoft Entra ID is automatically synchronized with Microsoft Entra Domain
Services, one way, from Microsoft Entra ID to Microsoft Entra Domain Services
only.

ﾉ Expand table

Resource Purpose Logical relationships

Published A Windows desktop Member of one and only one

desktop environment that runs on application group (1)
Azure Virtual Desktop
session hosts and is
delivered to users over the
network
Resource Purpose Logical relationships

Published A Windows application that Member of one and only one

application runs on Azure Virtual application group
Desktop session hosts and is
delivered to users over the
network

Application A logical grouping of - Contains a published desktop (1)

group published applications or a
published desktop
or one or more published
applications
- Assigned to one and only one
host pool (2)
- Member of one and only one
workspace (2)
- One or more Microsoft Entra
user accounts or groups are
assigned to it (3)

Microsoft Entra Identifies the users who are - Member of one and only one
user permitted to launch Microsoft Entra ID
account/group published desktops or - Assigned to one or more
applications application groups (3)

Microsoft Entra Identity provider - Contains one or more user

ID (7) accounts or groups, which must
be used to assign users to
application groups, and can also
be used to sign in to the session
hosts
- Can hold the memberships of
the session hosts
- Can be synchronized with AD DS
or Microsoft Entra Domain
Services

AD DS (7) Identity and directory - Contains one or more user

services provider
accounts or groups, which can be
used to sign in to the session
hosts
- Can hold the memberships of
the session hosts
- Can be synchronized with
Microsoft Entra ID
 Resource Purpose Logical relationships

Microsoft Entra Platform as a service (PaaS)- - Contains one or more user

Domain Services based identity and directory accounts or groups, which can be
(7) services provider used to sign in to the session
hosts
- Can hold the memberships of
the session hosts
- Synchronized with Microsoft
Entra ID

Workspace A logical grouping of Contains one or more application

application groups groups (4)

Host pool A group of identical session - Contains one or more session

hosts that serve a common hosts (5)
purpose - One or more application groups
are assigned to it (6)

Session host A virtual machine that hosts Member of one and only one host
published desktops or pool
applications

Considerations
These considerations implement the pillars of the Azure Well-Architected Framework,
which is a set of guiding tenets that can be used to improve the quality of a workload.
For more information, see Microsoft Azure Well-Architected Framework.

The numbers in the following sections are approximate. They're based on a variety of
large customer deployments and are subject to change over time.

Also, note that:

You can't create more than 500 application groups per single Microsoft Entra
tenant*.
We recommend that you do not publish more than 50 applications per application
group.

Azure Virtual Desktop limitations

Azure Virtual Desktop, much like Azure, has certain service limitations that you need to
be aware of. To avoid having to make changes in the scaling phase, it's a good idea to
address some of these limitations during the design phase.

ﾉ Expand table

Azure Virtual Desktop object Per Parent container object Service limit

Workspace Microsoft Entra tenant 1300

HostPool Workspace 400

Application group Microsoft Entra tenant 500*

RemoteApp Application group 500

Role assignment Any Azure Virtual Desktop object 200

Session host HostPool 10,000

* If you require more than 500 application groups, submit a support ticket via the Azure
portal.

We recommend that you deploy no more than 5,000 VMs per Azure subscription
per region. This recommendation applies to both personal and pooled host pools,
based on Windows Enterprise single and multi-session. Most customers use
Windows Enterprise multi-session, which allows multiple users to sign in to each
VM. You can increase the resources of individual session-host VMs to
accommodate more user sessions.
For automated session-host scaling tools, the limits are around 2,500 VMs per
Azure subscription per region, because VM status interaction consumes more
resources.
To manage enterprise environments with more than 5,000 VMs per Azure
subscription in the same region, you can create multiple Azure subscriptions in a
hub-spoke architecture and connect them via virtual network peering (using one
subscription per spoke). You could also deploy VMs in a different region in the
same subscription to increase the number of VMs.
Azure Resource Manager subscription API throttling limits don't allow more than
600 Azure VM reboots per hour via the Azure portal. You can reboot all your
 machines at once via the operating system, which doesn't consume any Azure
Resource Manager subscription API calls. For more information about counting
and troubleshooting throttling limits based on your Azure subscription, see
Troubleshoot API throttling errors.
You can currently deploy up to 132 VMs in a single ARM template deployment in
the Azure Virtual Desktop portal. To create more than 132 VMs, run the ARM
template deployment in the Azure Virtual Desktop portal multiple times.
Azure VM session-host name prefixes can't exceed 11 characters, due to auto-
assigning of instance names and the NetBIOS limit of 15 characters per computer
account.
By default, you can deploy up to 800 instances of most resource types in a
resource group. Azure Compute doesn't have this limit.

For more information about Azure subscription limitations, see Azure subscription and
service limits, quotas, and constraints.

VM sizing
Virtual machine sizing guidelines lists the maximum suggested number of users per
virtual central processing unit (vCPU) and minimum VM configurations for different
workloads. This data helps estimate the VMs you need in your host pool.

Use simulation tools to test deployments with both stress tests and real-life usage
simulations. Make sure that the system is responsive and resilient enough to meet user
needs, and remember to vary the load sizes when testing.

Cost optimization
Cost optimization is about looking at ways to reduce unnecessary expenses and
improve operational efficiencies. For more information, see Overview of the cost
optimization pillar.

You can architect your Azure Virtual Desktop solution to realize cost savings. Here are
five different options to help manage costs for enterprises:

Windows 10 multi-session: By delivering a multi-session desktop experience for

users with identical compute requirements, you can let more users sign in to a
single VM at once, an approach that can result in considerable cost savings.
Azure Hybrid Benefit: If you have Software Assurance, you can use Azure Hybrid
Benefit for Windows Server to save on the cost of your Azure infrastructure.
Azure Reserved VM Instances: You can prepay for your VM usage and save
money. Combine Azure Reserved VM Instances with Azure Hybrid Benefit for up
 to 80 percent savings over list prices.
Session-host load-balancing: When you're setting up session hosts, breadth-first
mode, which spreads users randomly across the session hosts, is the standard
default mode. Alternatively, you can use depth-first mode to fill up a session-host
server with the maximum number of users before it moves on to the next session
host. You can adjust this setting for maximum cost benefits.

Deploy this scenario

Use the ARM templates to automate the deployment of your Azure Virtual Desktop
environment. These ARM templates support only the Azure Resource Manager Azure
Virtual Desktop objects. These ARM templates don't support Azure Virtual Desktop
(classic).

Contributors
This article is maintained by Microsoft. It was originally written by the following
contributors.

Principal author:

Tom Hickling | Senior Product Manager, Azure Virtual Desktop Engineering

Other contributor:

Nelson Del Villar | Cloud Solution Architect, Azure Core Infrastructure

Next steps
Azure Virtual Desktop partner integrations lists approved Azure Virtual Desktop
partner providers and independent software vendors.
Use the Virtual Desktop Optimization Tool to help optimize performance in a
Windows 10 Enterprise VDI (virtual desktop infrastructure) environment.
For more information, see Deploy Microsoft Entra joined virtual machines in Azure
Virtual Desktop.
Learn more about Active Directory Domain Services.
What is Microsoft Entra Connect?

Related resources
 For more information about multiple Active Directory forests architecture, see
Multiple Active Directory forests architecture in Azure Virtual Desktop.

Feedback
Was this page helpful?  Yes  No
Multiple forests with AD DS and
Microsoft Entra ID
Azure Virtual Desktop Microsoft Entra ID Microsoft Entra Azure ExpressRoute Azure Storage

Many organizations want to take advantage of Azure Virtual Desktop to create

environments that have multiple on-premises Active Directory forests.

This article expands on the architecture that's described in the Azure Virtual Desktop at
enterprise scale article. It's intended to help you understand how to integrate multiple
domains and Azure Virtual Desktop by using Microsoft Entra Connect to sync users from
on-premises Active Directory Domain Services (AD DS) to Microsoft Entra ID.

Architecture

Download a Visio file of this architecture.

Dataflow
In this architecture, the identity flow works as follows:
 1. Microsoft Entra Connect syncs users from both CompanyA.com and
CompanyB.com to a Microsoft Entra tenant (NewCompanyAB.onmicrosoft.com).
2. Host pools, workspaces, and app groups are created in separate subscriptions and
spoke virtual networks.
3. Users are assigned to the app groups.
4. Azure Virtual Desktop session hosts in the host pools join the domains
CompanyA.com and CompanyB.com by using the domain controllers (DCs) in
Azure.
5. Users sign in by using either the Azure Virtual Desktop application or the web
client with a User Principal Name (UPN) in the following format:
[email protected], [email protected], or [email protected],
depending on their configured UPN suffix.
6. Users are presented with their respective virtual desktops or applications. For
example, users in CompanyA are presented with a virtual desktop or application in
Workspace A, host pool 1 or 2.
7. FSLogix user profiles are created in Azure Files shares on the corresponding
storage accounts.
8. Group Policy Objects (GPOs) that are synced from on-premises are applied to users
and Azure Virtual Desktop session hosts.

Components
This architecture uses the same components as those listed in Azure Virtual Desktop at
enterprise scale architecture.

Additionally, this architecture uses the following components:

Microsoft Entra Connect in staging mode: The Staging server for Microsoft Entra
Connect topologies provides additional redundancy for the Microsoft Entra
Connect instance.

Azure subscriptions, Azure Virtual Desktop workspaces, and host pools: You can
use multiple subscriptions, Azure Virtual Desktop workspaces, and host pools for
administration boundaries and business requirements.

Scenario details
This architecture diagram represents a typical scenario that contains the following
elements:

The Microsoft Entra tenant is available for a new company named

NewCompanyAB.onmicrosoft.com.
 Microsoft Entra Connect syncs users from on-premises AD DS to Microsoft Entra
ID.
Company A and Company B have separate Azure subscriptions. They also have a
shared services subscription, referred to as the Subscription 1 in the diagram.
An Azure hub-spoke architecture is implemented with a shared services hub virtual
network.
Complex hybrid on-premises Active Directory environments are present with two
or more Active Directory forests. Domains live in separate forests, each with a
different UPN suffix. For example, CompanyA.local with the UPN suffix
CompanyA.com, CompanyB.local with the UPN suffix CompanyB.com, and an
additional UPN suffix, NewCompanyAB.com.
Domain controllers for both forests are located on-premises and in Azure.
Verified domains are present in Azure for CompanyA.com, CompanyB.com, and
NewCompanyAB.com.
GPO and legacy authentication, such as Kerberos, NTLM (Windows New
Technology LAN Manager), and LDAP (Lightweight Directory Access Protocol) , is
used.
For Azure environments that still have dependency on-premises infrastructure,
private connectivity (Site-to-site VPN or Azure ExpressRoute) is set up between on-
premises and Azure.
The Azure Virtual Desktop environment consists of an Azure Virtual Desktop
workspace for each business unit and two host pools per workspace.
The Azure Virtual Desktop session hosts are joined to domain controllers in Azure.
That is, CompanyA session hosts join the CompanyA.local domain, and CompanyB
session hosts join the CompanyB.local domain.
Azure Storage accounts can use Azure Files for FSLogix profiles. One account is
created per company domain (that is, CompanyA.local and CompanyB.local), and
the account is joined to the corresponding domain.

７ Note

Active Directory Domain Services is a self-managed, on-premises component in

many hybrid environments, and Microsoft Entra Domain Services provides
managed domain services with a subset of fully compatible, traditional AD DS
features such as domain join, group policy, LDAP, and Kerberos/NTLM
authentication. For a detailed comparison of these components, see Compare self-
managed AD DS, Microsoft Entra ID, and managed Microsoft Entra Domain
Services.

The solution idea Multiple Azure Virtual Desktop forests using Microsoft Entra
Domain Services discusses architecture that uses cloud-managed Microsoft Entra
 Domain Services.

Potential use cases

Here are a few relevant use cases for this architecture:

Mergers and acquisitions, organization rebranding, and multiple on-premises

identities
Complex on-premises active directory environments (multi-forest, multi-domains,
group policy (or GPO) requirements, and legacy authentication)
On-premises GPO infrastructure with Azure Virtual Desktop

Considerations
When you're designing your workload based on this architecture, keep the following
ideas in mind.

Group Policy Objects

To extend GPO infrastructure for Azure Virtual Desktop, the on-premises domain
controllers should sync to the Azure infrastructure as a service (IaaS) domain
controllers.

Extending GPO infrastructure to Azure IaaS domain controllers requires private

connectivity.

Network and connectivity

The domain controllers are shared components, so they need to be deployed in a
shared services hub virtual network in this hub-spoke architecture.

Azure Virtual Desktop session hosts join the domain controller in Azure over their
respective hub-spoke virtual network peering.

Azure Storage
The following design considerations apply to user profile containers, cloud cache
containers, and MSIX packages:

You can use both Azure Files and Azure NetApp Files in this scenario. You choose
the right solution based on factors such as expected performance, cost, and so on.
 Both Azure Storage accounts and Azure NetApp Files are limited to joining to one
single AD DS at a time. In these cases, multiple Azure Storage accounts or Azure
NetApp Files instances are required.

Microsoft Entra ID
In scenarios with users in multiple on-premises Active Directory forests, only one
Microsoft Entra Connect Sync server is connected to the Microsoft Entra tenant. An
exception to this is a Microsoft Entra Connect server that's used in staging mode.

The following identity topologies are supported:

Multiple on-premises Active Directory forests.

One or more resource forests trust all account forests.
A full mesh topology allows users and resources to be in any forest. Commonly,
there are two-way trusts between the forests.

For more details, see the Staging server section of Microsoft Entra Connect topologies.

Contributors
This article is maintained by Microsoft. It was originally written by the following
contributors.

Principal author:

Tom Maher | Senior Security and Identity Engineer

Next steps
For more information, see the following articles:

Microsoft Entra Connect topology

Compare different identity options: Self-managed Active Directory Domain
Services (AD DS), Microsoft Entra ID, and Microsoft Entra Domain Services
Azure Virtual Desktop documentation

Related resources
Azure Virtual Desktop for the enterprise
Solution idea: Multiple forests with Microsoft Entra Domain Services

Feedback
Was this page helpful?  Yes  No
Multiple forests with AD DS,
Microsoft Entra ID, and Microsoft
Entra Domain Services
Microsoft Entra ID Microsoft Entra Azure Files Azure Virtual Desktop

Solution ideas

This article describes a solution idea. Your cloud architect can use this guidance to
help visualize the major components for a typical implementation of this
architecture. Use this article as a starting point to design a well-architected solution
that aligns with your workload's specific requirements.

This solution idea illustrates how to deploy Azure Virtual Desktop rapidly in a minimum
viable product (MVP) or a proof of concept (POC) environment with the use of Microsoft
Entra Domain Services. Use this idea to both extend on-premises multi-forest Active
Directory Domain Services (AD DS) identities to Azure without private connectivity and
support legacy authentication.

Potential use cases

This solution idea also applies to mergers and acquisitions, organization rebranding, and
multiple on-premises identities requirements.

Architecture
 Microsoft Entra tenant: companyAB.onmicrosoft.com

Synchronization

Microsoft Entra DC Desktop virtualization Azure Virtual Desktop Azure Virtual Desktop Azure Virtual Desktop
administrators contributors (CompanyA) users (CompanyA) users (CompanyB) users (CompanyAB)

Authentication
Microsoft Entra Role-Based Access Control
ID

Active Directory Domain Services subnet Azure Virtual Desktop subnet Storage
VNet peering account
Azure Virtual Desktop host pool A
Microsoft Entra
Connect Domain join
Synchronization Azure Virtual Azure Virtual Azure Virtual
Desktop host Desktop host Desktop host

Profiles
Active Directory Domain Azure Virtual Desktop host pool B
Services domain controller
Domain Domain join Profiles
Controller Azure Files
Azure Virtual Azure Virtual Azure Virtual
Desktop host Desktop host Desktop host
CompanyA.local
Profiles
Active Directory Domain
Services domain controller Azure Virtual Desktop host pool AB

Domain join
aadds.newcompanyAB.com
Azure Virtual Azure Virtual Azure Virtual
Desktop host Desktop host Desktop host

AD Domain
Services
Domain
Controller

CompanyB.local
Shared-Services-VNet AVD-SPOKE-VNET

On-premises network Shared services subscription Azure Virtual Desktop subscription



Download a Visio file of this architecture.

Dataflow
The following steps show how the data flows in this architecture in the form of identity.

1. Complex hybrid on-premises Active Directory environments are present, with two
or more Active Directory forests. Domains live in separate forests, with distinct User
Principal Name (UPN) suffixes. For example, CompanyA.local with UPN suffix
CompanyA.com, CompanyB.local with UPN suffix CompanyB.com, and an additional
UPN suffix, newcompanyAB.com.
2. Instead of using customer-managed domain controllers, either on-premises or on
Azure (that is, Azure infrastructure as a service (IaaS) domain controllers), the
environment uses the two cloud-managed domain controllers provided by
Microsoft Entra Domain Services.
3. Microsoft Entra Connect syncs users from both CompanyA.com and
CompanyB.com to the Microsoft Entra tenant, newcompanyAB.onmicrosoft.com.
The user account is represented only once in Microsoft Entra ID, and private
connectivity isn't used.
4. Users then sync from Microsoft Entra ID to the managed Microsoft Entra Domain
Services as a one-way sync.
5. A custom and routable Microsoft Entra Domain Services domain name,
aadds.newcompanyAB.com, is created. The newcompanyAB.com domain is a
registered domain that supports LDAP certificates. We generally recommend that
 you not use non-routable domain names, such as contoso.local, because it can
cause issues with DNS resolution.
6. The Azure Virtual Desktop session hosts join the Microsoft Entra Domain Services
domain controllers.
7. Host pools and app groups can be created in a separate subscription and spoke
virtual network.
8. Users are assigned to the app groups.
9. Users sign in by using either the Azure Virtual Desktop application or the web
client, with a UPN in a format such as [email protected],
[email protected], or [email protected], depending on their
configured UPN suffix.
10. Users are presented with their respective virtual desktops or apps. For example,
[email protected] is presented with virtual desktops or apps in host pool A,
jane@companyB is presented with virtual desktops or apps in host pool B, and
joe@newcompanyAB is presented with virtual desktops or apps in host pool AB.
11. The storage account (Azure Files is used for FSLogix) is joined to the managed
domain AD DS. The FSLogix user profiles are created in Azure Files shares.

７ Note

For Group Policy requirements in Microsoft Entra Domain Services, you can
install Group Policy Management tools on a Windows Server virtual machine
that's joined to Microsoft Entra Domain Services.
To extend Group Policy infrastructure for Azure Virtual Desktop from the on-
premises domain controllers, you need to manually export and import it to
Microsoft Entra Domain Services.

Components
You implement this architecture by using the following technologies:

Microsoft Entra ID
Microsoft Entra Domain Services
Azure Files
Azure Virtual Desktop
Azure Virtual Network

Contributors
This article is maintained by Microsoft. It was originally written by the following
contributors.

Principal author:

Tom Maher | Senior Security and Identity Engineer

Next steps
Multiple Active Directory forests architecture with Azure Virtual Desktop
Azure Virtual Desktop for enterprises
Microsoft Entra Connect topologies
Compare different identity options
Azure Virtual Desktop documentation

Related resources
Hybrid architecture design
Multiple forests with AD DS and Microsoft Entra ID

Feedback
Was this page helpful?  Yes  No
Configure Azure Virtual Desktop with
Terraform
Article • 03/20/2023

Article tested with the following Terraform and Terraform provider versions:

Terraform v1.1.7
AzureRM Provider v.2.99.0

Terraform enables the definition, preview, and deployment of cloud infrastructure.

Using Terraform, you create configuration files using HCL syntax . The HCL syntax
allows you to specify the cloud provider - such as Azure - and the elements that make
up your cloud infrastructure. After you create your configuration files, you create an
execution plan that allows you to preview your infrastructure changes before they're
deployed. Once you verify the changes, you apply the execution plan to deploy the
infrastructure.

This article provides an overview of how to use Terraform to deploy an ARM Azure
Virtual Desktop environment, not AVD Classic.

There are several pre-requisites requirements for Azure Virtual Desktop

New to Azure Virtual Desktop? Start with What is Azure Virtual Desktop?

It is assumed that an appropriate platform foundation is already setup which may or

may not be the Enterprise Scale Landing Zone platform foundation.

In this article, you learn how to:

＂ Use Terraform to create an Azure Virtual Desktop workspace

＂ Use Terraform to create an Azure Virtual Desktop host pool
＂ Use Terraform to create an Azure Desktop Application Group
＂ Associate a Workspace and a Desktop Application Group

1. Configure your environment

Azure subscription: If you don't have an Azure subscription, create a free
account before you begin.

Configure Terraform: If you haven't already done so, configure Terraform using
one of the following options:
Configure Terraform in Azure Cloud Shell with Bash
 Configure Terraform in Azure Cloud Shell with PowerShell
Configure Terraform in Windows with Bash
Configure Terraform in Windows with PowerShell

2. Implement the Terraform code

1. Create a directory in which to test the sample Terraform code and make it the
current directory.

2. Create a file named providers.tf and insert the following code:

Terraform

terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~>2.0"
}
azuread = {
source = "hashicorp/azuread"
}
}
}

provider "azurerm" {
features {}
}

3. Create a file named main.tf and insert the following code:

Terraform

# Resource group name is output when execution plan is applied.

resource "azurerm_resource_group" "sh" {
name = var.rg_name
location = var.resource_group_location
}

# Create AVD workspace

resource "azurerm_virtual_desktop_workspace" "workspace" {
name = var.workspace
resource_group_name = azurerm_resource_group.sh.name
location = azurerm_resource_group.sh.location
friendly_name = "${var.prefix} Workspace"
description = "${var.prefix} Workspace"
}

# Create AVD host pool

 resource "azurerm_virtual_desktop_host_pool" "hostpool" {
resource_group_name = azurerm_resource_group.sh.name
location = azurerm_resource_group.sh.location
name = var.hostpool
friendly_name = var.hostpool
validate_environment = true
custom_rdp_properties = "audiocapturemode:i:1;audiomode:i:0;"
description = "${var.prefix} Terraform HostPool"
type = "Pooled"
maximum_sessions_allowed = 16
load_balancer_type = "DepthFirst" #[BreadthFirst DepthFirst]
}

resource "azurerm_virtual_desktop_host_pool_registration_info"
"registrationinfo" {
hostpool_id = azurerm_virtual_desktop_host_pool.hostpool.id
expiration_date = var.rfc3339
}

# Create AVD DAG

resource "azurerm_virtual_desktop_application_group" "dag" {
resource_group_name = azurerm_resource_group.sh.name
host_pool_id = azurerm_virtual_desktop_host_pool.hostpool.id
location = azurerm_resource_group.sh.location
type = "Desktop"
name = "${var.prefix}-dag"
friendly_name = "Desktop AppGroup"
description = "AVD application group"
depends_on = [azurerm_virtual_desktop_host_pool.hostpool,
azurerm_virtual_desktop_workspace.workspace]
}

# Associate Workspace and DAG

resource
"azurerm_virtual_desktop_workspace_application_group_association" "ws-
dag" {
application_group_id =
azurerm_virtual_desktop_application_group.dag.id
workspace_id = azurerm_virtual_desktop_workspace.workspace.id
}

4. Create a file named variables.tf and insert the following code:

variable "resource_group_location" {
default = "eastus"
description = "Location of the resource group."
}

variable "rg_name" {
type = string
default = "rg-avd-resources"
 description = "Name of the Resource group in which to deploy service
objects"
}

variable "workspace" {
type = string
description = "Name of the Azure Virtual Desktop workspace"
default = "AVD TF Workspace"
}

variable "hostpool" {
type = string
description = "Name of the Azure Virtual Desktop host pool"
default = "AVD-TF-HP"
}

variable "rfc3339" {
type = string
default = "2022-03-30T12:43:13Z"
description = "Registration token expiration"
}

variable "prefix" {
type = string
default = "avdtf"
description = "Prefix of the name of the AVD machine(s)"
}

5. Create a file named output.tf and insert the following code:

output "azure_virtual_desktop_compute_resource_group" {
description = "Name of the Resource group in which to deploy session
host"
value = azurerm_resource_group.sh.name
}

output "azure_virtual_desktop_host_pool" {
description = "Name of the Azure Virtual Desktop host pool"
value = azurerm_virtual_desktop_host_pool.hostpool.name
}

output "azurerm_virtual_desktop_application_group" {
description = "Name of the Azure Virtual Desktop DAG"
value = azurerm_virtual_desktop_application_group.dag.name
}

output "azurerm_virtual_desktop_workspace" {
description = "Name of the Azure Virtual Desktop workspace"
value = azurerm_virtual_desktop_workspace.workspace.name
}
 output "location" {
description = "The Azure region"
value = azurerm_resource_group.sh.location
}

output "AVD_user_groupname" {
description = "Azure Active Directory Group for AVD users"
value = azuread_group.aad_group.display_name
}

3. Initialize Terraform
Run terraform init to initialize the Terraform deployment. This command downloads
the Azure provider required to manage your Azure resources.

Console

terraform init -upgrade

Key points:

The -upgrade parameter upgrades the necessary provider plugins to the newest
version that complies with the configuration's version constraints.

4. Create a Terraform execution plan

Run terraform plan to create an execution plan.

Console

terraform plan -out main.tfplan

Key points:

The terraform plan command creates an execution plan, but doesn't execute it.
Instead, it determines what actions are necessary to create the configuration
specified in your configuration files. This pattern allows you to verify whether the
execution plan matches your expectations before making any changes to actual
resources.
The optional -out parameter allows you to specify an output file for the plan.
Using the -out parameter ensures that the plan you reviewed is exactly what is
applied.
 To read more about persisting execution plans and security, see the security
warning section .

5. Apply a Terraform execution plan

Run terraform apply to apply the execution plan to your cloud infrastructure.

Console

terraform apply main.tfplan

Key points:

The example terraform apply command assumes you previously ran terraform
plan -out main.tfplan .

If you specified a different filename for the -out parameter, use that same
filename in the call to terraform apply .
If you didn't use the -out parameter, call terraform apply without any parameters.

6. Verify the results

1. On the Azure portal, Select Azure Virtual Desktop.
2. Select Host pools and then the Name of the pool created resource.
3. Select Session hosts and then verify the session host is listed.

7. Clean up resources
When you no longer need the resources created via Terraform, do the following steps:

1. Run terraform plan and specify the destroy flag.

Console

terraform plan -destroy -out main.destroy.tfplan

Key points:

The terraform plan command creates an execution plan, but doesn't execute
it. Instead, it determines what actions are necessary to create the
configuration specified in your configuration files. This pattern allows you to
 verify whether the execution plan matches your expectations before making
any changes to actual resources.
The optional -out parameter allows you to specify an output file for the plan.
Using the -out parameter ensures that the plan you reviewed is exactly what
is applied.
To read more about persisting execution plans and security, see the security
warning section .

2. Run terraform apply to apply the execution plan.

Console

terraform apply main.destroy.tfplan

Troubleshoot Terraform on Azure

Troubleshoot common problems when using Terraform on Azure

Next steps
Learn more about using Terraform in Azure
Windows and Other Services
Article • 08/14/2024

Windows 11
FastTrack provides remote guidance for updating to Windows 11 from Windows 10.

This includes:

Planning for your Windows 11 deployment.

Assessing the source environment and the requirements.
Deploying Windows 11 Enterprise and Microsoft 365 Apps using Microsoft Intune.
Recommending options to assess Windows 11 app and driver readiness.
Providing update guidance for Windows 11 Enterprise devices that meet Windows
11 system requirements.
Providing update guidance for in-place updates from Windows 10 to Windows 11
using Windows Update for Business and guidance for Windows 11 servicing using
Windows Update for Business and Intune.
Providing guidance for new Windows 11 device deployment using Windows
Autopilot.
Providing guidance using Endpoint analytics and Windows Update for Business
reports to see eligible devices and monitor device deployments.
Providing guidance for enabling co-management and moving the update
workload to Intune.
Providing guidance to help your organization stay up to date with Windows 11
Enterprise and Microsoft 365 Apps.

７ Note

PCs must meet Windows 11 hardware requirements .

Out of scope for all Windows 11 products

Upgrading task sequences or software update feature updates from Configuration
Manager.
Upgrading Configuration Manager to Current Branch.
Creating custom images for Windows 11 deployment.
Creating and supporting deployment scripts for Windows 11 deployment.
 Converting a Windows 11 system from BIOS to Unified Extensible Firmware
Interface (UEFI).
Enabling Windows 11 security features.
Configuring Windows Deployment Services (WDS) for Preboot Execution
Environment (PXE) booting.
Using the Microsoft Deployment Toolkit (MDT) to capture and deploy Windows 11
images.
Using the User State Migration Tool (USMT).

Contact a Microsoft Partner for assistance with these services.

BitLocker
FastTrack provides remote guidance for:

Assessing the Windows 11 environment and hardware for BitLocker configuration.

Enabling compliance reporting of BitLocker from Microsoft Intune.
Providing guidance on configuring BitLocker for Windows Autopilot scenarios.
Providing guidance on BitLocker key recovery best practices.

Windows Hello for Business

FastTrack provides remote guidance for:

Assessing the Windows 10/11 environment and hardware for Windows Hello for
Business configuration.
Enabling Windows passwordless authentication using Windows Hello for Business
cloud trust.
Planning guidance for Windows Hello for Business hybrid key or certificate trust.

Windows Autopatch
FastTrack provides remote guidance for:

Assistance in understanding the features of the Windows Autopatch service,

validating environment prerequisites, and how the service relates to other
Microsoft update tools.
Assessing company readiness for Windows Autopatch onboarding using the
Readiness Assessment tool and addressing issues identified by the tool.
Understanding the process to enroll into the Windows Autopatch service.
Registering physical and virtual devices into the Windows Autopatch service.
Validating device updates and understanding reports.
Microsoft Defender for Endpoint
For more information, see Microsoft Defender for Endpoint.

Source environment expectations

The following requirements must be met.

For PC update:

Source OS: Windows 10 Enterprise or Professional.

Devices: Desktop, notebook, or tablet form factor.
Target OS: Window 11 Enterprise.

For infrastructure upgrade:

Microsoft Endpoint Configuration Manager.

The Configuration Manager version must be supported by the Windows 11 target
version and Configuration Manager must be cloud-attached. For more information,
see the Configuration Manager support table at Support for Windows 11 in
Configuration Manager.

Microsoft advanced deployment guides

Microsoft provides customers with technology and guidance to assist with deploying
your Microsoft 365, Microsoft Viva, and security services. We encourage our customers
to start their deployment journey with these offerings.

For non-IT admins, see Microsoft 365 Setup .

Windows 365
FastTrack provides remote guidance for onboarding to Windows 365 Enterprise,
Windows 365 Frontline, and Windows 365 Government. Windows 365 takes the
operating system to the Microsoft Cloud, securely streaming the full Windows
experience—including all your apps, data, and settings—to your personal or corporate
devices. Organizations can provision Cloud PCs (devices that are deployed on the
Windows 365 service) instantly across the globe and manage them seamlessly alongside
your physical PC estate using Microsoft Endpoint Manager. This desktop-as-a-service
(DaaS) solution combines the benefits of desktop cloud hosting with the simplicity,
security, and insights of Microsoft 365.
Remote guidance includes:

Assigning licenses to users.

Creating and modifying Azure network connections (ANCs).
Adding and deleting device images, including standard Azure Marketplace gallery
images and custom images. Some guidance might be provided around deploying
language packs with custom images using the Windows 365 language installer
script.
Creating, editing, and deleting provisioning policies.
Assisting with dynamic query expressions for dynamic groups and filtering.
Deploying Windows Update policies for Cloud PCs using Intune.
Deploying apps (including Microsoft 365 Apps for enterprise and Microsoft Teams
with media optimizations) to Cloud PCs using Intune.
Securing Cloud PCs, including Conditional Access, multifactor authentication
(MFA), and managing Remote Desktop Protocol (RDP) device redirections.
Managing Cloud PCs on Microsoft Endpoint Manager, including remote actions,
resizing, and other administrative tasks.
Optimizing end user experience.
Deploying and managing Windows 365 Frontline Cloud PCs.
Deploying and managing Windows 365 Government Cloud PCs.
Finding other support for Windows 365.

７ Note

See Microsoft Defender XDR and Microsoft Defender for Endpoint for details
about Microsoft Defender for Endpoint and the security baseline scope as it applies
to Windows 365.

Out of scope
Creation of Azure subscription features including Azure Virtual Networks (VNets),
ExpressRoute, and Site-to-Site (S2S) VPN.
Support for advanced networking topics.
Customizing images for a Cloud PC on behalf of customers.
Standalone use of Configuration Manager for managing Cloud PCs.
Deploying Windows updates for Cloud PCs using Configuration Manager.
Migrating virtual desktop infrastructure (VDI) or Azure Virtual Desktop virtual
machines to Windows 365.
Migrating Configuration Manager or Microsoft Deployment Toolkit (MDT) images
to Azure.
 Migrating user profiles to or from Windows PCs.
Configuring network appliances on behalf of customers.
Programmatic actions against Microsoft Graph API.
Support for third-party integrations.
Support for Windows 365 Business.

Contact a Microsoft Partner or Microsoft FastTrack for Azure for assistance with
items out of scope and/or if source environment expectations aren't met. If facing
concerns about app compatibility, contact Microsoft App Assure .

Source environment expectations

Before onboarding the following is required:

Windows 365 licensing requirements must be met.

If not using a Microsoft-hosted network:
An Azure subscription associated with the Microsoft Entra tenant where licenses
are deployed must be used.
A virtual network is deployed in a region that's supported for Window 365. The
virtual network should:
Have sufficient private IP addresses for the number of Cloud PCs in order to
deploy.
Have connectivity to Active Directory (only for Microsoft Entra hybrid joined
configuration).
Have DNS servers configured for internal name.

７ Note

Onboarding assistance for Azure Virtual Desktop is provided by FastTrack for

Azure . Customers should contact FastTrack for Azure to check for eligibility
since FastTrack for Azure has separate eligibility requirements . If the customer
doesn't qualify, they should work with an Azure partner.

Microsoft advanced deployment guides

Microsoft provides customers with technology and guidance to assist with deploying
your Microsoft 365, Microsoft Viva, and security services. We encourage our customers
to start their deployment journey with these offerings.

For non-IT admins, see Overview for Windows 365 Enterprise .

Universal Print
FastTrack provides remote guidance for:

Onboarding and configuring Universal Print.

Universal Print connector.
Universal Print-ready printers.
Deploying printers with Microsoft Intune.
Printer and print job management.
Configuring the Universal Print PowerShell module.

Out of scope
Partner integrations.
Third-party app virtualization and deployment.
Creating custom scripts with the Universal Print PowerShell module.
Universal Print developer features (including API).
Configuring Windows servers for printing.

Source environment expectations

The customer has one of the following licenses:
Microsoft 365 Enterprise F3, E3, or E5.
Microsoft 365 Education A3 or A5.
Microsoft 365 Business Premium.
Microsoft 365 G3, G5 - GCC.
Microsoft 365 E3, E5 - GCC High.
Windows 10/11 Enterprise E3 or E5.
Windows 10/11 Education A3 or A5.
Windows 10/11 Enterprise E5 Commercial (GCC Compatible).
Microsoft Entra ID tenant setup (any edition).
Universal Print connector host and/or Universal Print-ready printers.
Client devices must be running Windows 11 or Windows 10 version 1903 or
greater.

App Assure
App Assure is a service designed to address issues with Windows and Microsoft 365
Apps app compatibility and is available to all Microsoft customers. When you request
the App Assure service, we work with you to address valid app issues. To request App
Assure assistance, complete the App Assure service request .

FastTrack also provides guidance to customers who face compatibility issues when
deploying Windows 365 Cloud PC, Azure Virtual Desktop, and Microsoft Edge and make
every reasonable effort to resolve compatibility issues. We provide remediation
assistance for apps deployed on the following Microsoft products:

Windows 10/11 (including Arm64 devices).

Microsoft 365 Apps, including Microsoft Copilot for Microsoft 365.
Microsoft Edge - For deployment guidance, see Overview of the Microsoft Edge
channels.
Azure Virtual Desktop - For more information, see What is Azure Virtual Desktop?
and Windows 10 Enterprise multi-session FAQ.
Windows 365 Cloud PC - For more information, see Introducing a new era of
hybrid personal computing: the Windows 365 Cloud PC .

FastTrack eligibility criteria doesn’t apply to App Assure services and is subject to
Microsoft’s discretion.

７ Note

App Assure supports Copilot for Microsoft 365 customers by addressing app
compatibility issues encountered when moving to a monthly update channel.

Out of scope
App inventory and testing to determine what does and doesn’t work on Windows
and Microsoft 365 Apps. For more information, see the Windows and Office 365
deployment lab kit. If you're interested in guidance for modernizing endpoints or
deploying Windows 11, request assistance from FastTrack .
Researching third-party ISV apps for Windows compatibility and support
statements.
App packaging-only services. However, the App Assure team packages Windows
apps that we remediated to ensure they can be deployed in the customer's
environment.
Although Android apps on Windows 11 are available to Windows Insiders, App
Assure doesn’t currently support Android apps or devices, including Surface Duo
devices.

Customer responsibilities
 Creating an app inventory.
Validating those apps on Windows and Microsoft 365 Apps.

７ Note

Microsoft can’t make changes to your source code. However, the App Assure team
can provide guidance to app developers if the source code is available for your
apps.

Contact a Microsoft Partner for assistance with these services.

Source environment expectations

Windows and Microsoft 365 Apps

Apps that worked on Windows 7, Windows 8.1, Windows 10, and Windows 11 also
work on Windows 10/11.
Apps that worked on Office 2010, Office 2013, Office 2016, and Office 2019 also
work on Microsoft 365 Apps (32-bit and 64-bit versions).

Windows 365 Cloud PC

Apps that worked on Windows 7, Windows 8.1, Windows 10, and Windows 11 also work
on Windows 365 Cloud PC.

Windows on Arm
Apps that worked on Windows 7, Windows 8.1, Windows 10, and Windows 11 also work
on Windows 10/11 on Arm64 devices.

７ Note

x64 (64-bit) emulation is available on Windows 11 on Arm devices.

Microsoft Edge

If your web apps or sites work on supported versions of Google Chrome or any version
of Microsoft Edge, they’ll also work on the latest version of Microsoft Edge. As the web
is constantly evolving, be sure to review this published list of known site compatibility-
impacting changes for Microsoft Edge.

７ Note

App Assure helps you configure IE mode to support legacy Internet Explorer web
apps or sites. Support for development to modernize Internet Explorer web apps or
sites to run natively on the Chromium engine isn’t covered under this benefit.

Azure Virtual Desktop

Apps running on Windows 7, Windows 8.1, Windows 10, Windows 11, or Windows
Server (as virtualized apps) also run on:

Windows 10/11 Enterprise.

Windows 10/11 Enterprise multi-session.

７ Note

Onboarding assistance for Azure Virtual Desktop is provided by FastTrack for

Azure . Customers should contact FastTrack for Azure to check for eligibility
since Azure has separate eligibility requirements . If the customer doesn't qualify,
they should work with an Azure partner.

７ Note

Windows Enterprise multi-session compatibility exclusions and limitations include:

Limited redirection of hardware.

A/V-intensive apps might perform in a diminished capacity.
16-bit apps aren’t supported for 64-bit Azure Virtual Desktop.

Microsoft advanced deployment guides

Microsoft provides customers with technology and guidance to assist with deploying
your Microsoft 365, Microsoft Viva, and security services. We encourage our customers
to start their deployment journey with these offerings.

For non-IT admins, see Microsoft 365 Setup .

Arm Advisory Service
App Assure’s Arm Advisory Service is a no-cost service available to Windows on Arm
developers where App Assure engineers assist with porting applications to Arm and
building Arm-native applications.

FastTrack provides remote guidance for:

Delivering a technical workshop for developing best practices, including answering

specific implementation questions.
Suggesting which platform features can be used to enhance application
experience.
Providing code review and code samples to enable development.
Providing break-fix assistance if issues arise while building or porting apps.
Providing engineering escalation to enable software development efforts and
provide product feedback.

To contact App Assure for this service, complete the Windows Arm Advisory Service
enrollment form.

７ Note

Developers without access to Arm-based hardware can create a Windows on Arm

virtual machine to develop, build, and test applications in a native environment.

） Important

Please be aware that Microsoft reserves the right to limit this offer to 15 hours per
Arm developer and to waitlist developers due to high volume.

Microsoft 365 Apps

FastTrack provides remote guidance for:

Addressing deployment issues.

Assigning end-user and device-based licenses using the Microsoft 365 admin
center and Windows PowerShell.
Installing Microsoft 365 Apps from the Office 365 portal using Click-to-Run.
Installing Office Mobile apps (like Outlook Mobile, Word Mobile, Excel Mobile, and
PowerPoint Mobile) on your iOS or Android devices.
Configuring update settings using the Office 365 Deployment Tool.
 Selection and setup of a local or cloud installation.
Creation of the Office Deployment Tool configuration XML with the Office
Customization Tool or native XML to configure the deployment package.
Deployment using Microsoft Endpoint Configuration Manager, including assistance
with the creation of Microsoft Endpoint Configuration Manager packaging.
Additionally, if you have a macro or add-in that worked with prior versions of
Office and you experience compatibility issues, FastTrack provides guidance to
remediate the compatibility issue at no extra cost through the App Assure
program.

） Important

Online client software must be at a minimum level as defined in the System

requirements for Microsoft 365 and Office .

Network health
Alignment with Microsoft’s principals of network connectivity is vital to the successful
onboarding of FastTrack Services. As such, FastTrack provides remote guidance to obtain
and interpret data from a customer’s environment subject to the terms of the customer
agreement to verify this alignment. This highlights a company’s network score, which
directly impacts migration velocity, user experience, service performance, and reliability.
FastTrack also guides our customers through necessary remediation steps highlighted
by this data to help improve the network score.

Source environment expectations

Microsoft 365 admin center access.
Up-to-date versions of Microsoft 365 apps are required.
Location services enabled as per Network performance recommendations in the
Microsoft 365 Admin Center (preview).

Microsoft Edge
FastTrack provides remote guidance for:

Deploying Microsoft Edge on Windows 10/11 with Microsoft Endpoint Manager

(Microsoft Endpoint Configuration Manager or Microsoft Intune).
Configuring Microsoft Edge (using group policies or Intune app configuration and
app policies).
 Migrating web apps or sites from Google Chrome to Microsoft Edge. Additionally,
if you have a web app or site that works with Google Chrome and you experience
compatibility issues, FastTrack provides guidance to resolve the issue at no extra
cost. To request compatibility support for App Assure, sign in to the FastTrack
portal to start an engagement.
Planning guidance for Microsoft Edge adoption and configuration guidance for
Microsoft Search bookmarks.

Microsoft advanced deployment guides

Microsoft provides customers with technology and guidance to assist with deploying
your Microsoft 365, Microsoft Viva, and security services. We encourage our customers
to start their deployment journey with these offerings.

For non-IT admins, see Deploy and configure Microsoft Edge .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Azure Virtual Desktop (classic)
documentation
Securely deliver virtual desktops and apps with maximum control to any device from a
flexible cloud virtual desktop infrastructure (VDI) platform. Azure Virtual Desktop
(classic) has been superseded by Azure Virtual Desktop using Azure Resource Manager.

About Azure Virtual Desktop (classic)

ｅ OVERVIEW

What is Azure Virtual Desktop?

Terminology

Azure Virtual Desktop using Azure Resource Manager

Get started with Azure Virtual Desktop (classic)

ｇ TUTORIAL

Create a tenant

Create service principals and role assignments with PowerShell

Create a host pool

Manage app groups

Create a host pool to validate service updates

Set up service alerts

Azure Virtual Desktop for users

ｅ OVERVIEW

Azure Virtual Desktop for users

ｃ HOW-TO GUIDE

Connect with the Windows Desktop client

Connect with the web client

Connect with macOS

Connect with iOS/iPadOS

Connect with Android/Chrome OS

Connect with thin clients

More information

ｄ TRAINING

Introduction to Azure Virtual Desktop

More Azure Virtual Desktop learning paths

ｉ REFERENCE

Pricing calculator

Reference

ｉ REFERENCE

PowerShell

REST API