I spoke at a global AVD event (Microsoft meets Community: Windows virtual Desktop virtual event 3rd XXL edition) on the 11th of Dec about the topic AVD Management with Intune. I share the details about the presentation and Windows Virtual Desktop experience with modern management tools like Intune in this post.
My session was the fourth (4th) one in the event and the session topic was “Sharing Tips and Tricks on how to Manage Windows Virtual Desktop via Intune in Microsoft Endpoint Manager“. You can download the PDF version of the presentation and you can also have a recording of the event soon.
Update -> AVD Windows 10/11 multi-session VMs are supported by Microsoft Endpoint Manager Intune. More Details -> How To Add Azure Virtual Desktop Session Host To Azure AD Join Guide AVD and Azure Virtual Desktop Azure AD Join Support With Intune Management.
Related Post – 63 Episodes of Free Intune Training for Device Management Admins
Context
I tried to set the context of the AVD management in the first slide.
- Why do you want to manage aVD with Intune?
- When should you start AVD Management with Intune?
Hybrid AAD Join & Group Policy
Let’s go through some of the technical configurations and prerequisites that we need to complete before AVD Intune management.
- Make sure the VMs are Hybrid AAD Join
- MDM Group Policy for All AVD VMs
Windows 10 Intune Enrollment using Group Policy | Automatic Enrollment | AVD https://www.anoopcnair.com/windows-10-intune-enrollment-using-group-policy-automatic-enrollment-wvd/
Azure AD Conditional Access & Groups
Modern management of AVD with Intune and Azure AD comes with some quick wins. This modern management helps to enable Multi-Factor Authentication (MFA) without any complex infra in place.
- Modern Security Parameters with Azure AD CA
- Dynamic Azure AD user/device groups
End-User Experience
Let’s check what is the end-user experience for single session users. Microsoft is improving the enrollment experience in the coming months. Let’s wait and see.
- The AVD VM will be ready to use immediately after the Intune enrollment
- Azure AD registration of the VMs happens immediately after the VM provisioning process.
Security Policies for AVD
Let’s check how to deploy security policies in the AVD modern management world with Intune. I have seen organizations follow the CIS benchmark system to Secure Windows Desktop and laptop devices. However, Windows 10 CSPs changed the way of applying security policies.
This is the modern way of securing devices with MDM policies. As you can see in the slide, the National Cyber Security Center of the UK Govt did an excellent job to release a benchmark to secure Windows 10 devices using CSPs.
- National Cyber Security Center NCSC.gov.uk Guideline for MDM security baseline using CSPs
- https://www.ncsc.gov.uk/collection/end-user-device-security/platform-specific-guidance/windows-10-1803-with-mobile-device-management
- Security Policies should be deployed either using
- Intune Administrative Templates (Preferred for AVD)
- Security Baselines
Application Deployment
Let’s understand Intune application deployment options for AVD in this slide. You can deploy almost all types of applications using Intune app deployment frameworks. There are app types that are supported natively by Windows 10 MDM management tools and those types are MSIX and simple MSI etc.
- Deploy Apps using Intune
- Complex Apps need to be converted (zipped) to Intune win32 format
- Conversion Tool created by Damien Van Robaeys [MVP]
Patching & Windows 10 Upgrade
Let’s have a look into patching scenarios in the AVD modern management world with Intune. Also explained How the monthly patching and Windows 10 upgrade scenarios are handled. The big difference here with Intune management is Windows Update for Business instead of WSUS.
- Monthly Patching is managed via Windows Update for Business (WUfB) policies
- Windows 10 Upgrade policies are configured through WUfB feature update policies
Download
Let’s download the PDF from the GitHub repository – https://github.com/AnoopCNair/WVD-Intune-Management-PDF
Recording
Indian Windows Virtual Desktop User Group #INWVDUG
Today we announced the Indian Windows Virtual Desktop User Group (#INWVDUG). Welcome Windows Virtual Desktop (AVD) enthusiasts around the world.
There are several options to connect with us online. The following are some of the options:
- Twitter ➡ https://twitter.com/inwvdug
- Meetup Group ➡ https://www.meetup.com/inwvdug-indian-wvd-user-group/
- Telegram Group ➡ https://t.me/wvdcommunity
- Linkedin Group ➡ https://www.linkedin.com/groups/10491724/
- Facebook Group ➡ https://www.facebook.com/groups/244834119748980
Resources
- Microsoft WVD Documentation on HTMD
- WVD Disable Shutdown Button for Windows 10 Devices Using Intune
- Intune WVD management related posts.
- Convert Windows 10 CSP to OMA-URI for Intune Custom Policies
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Hi,
thanks for the great post. Unfortunately I have an issue that all my WIn32 Apps will not get deployed as required to WVD Personal Host and I don’t even see the apps in my Company Portal. Is there some issue you know from?
Thanks in advance and best regards
Hi, it works fine for me for single session vms.
You have to assign applications to device group if it’s a mandatory application. And it won’t show up in Company portal because it’s mandatory app.
The available app should be deployed to user group and it will show up in company portal.
Does that make sense
Hi Anoop,
First of all, thanks for your time in putting together this content. My question is, does the config you describe here work with multi session WVD VM setups? or does it currently only work with single session setups?
Thanks again.
Well, I tried that very long back and I don’t think it’s supported at all
https://www.anoopcnair.com/wvd-multi-session-intune-hybrid-azure-ad/
Great content. Thanks!
Thank you JB!
Multi-session is now supported
https://docs.microsoft.com/en-us/mem/intune/fundamentals/azure-virtual-desktop-multi-session
Yes of course. We have different posts on this topic. I have updated this post with additional resources. https://www.anoopcnair.com/azure-virtual-desktop-azure-ad-join-support-wvd/ and https://www.anoopcnair.com/azure-virtual-desktop-session-host-to-azure-ad/
What is your recommendation for handling Windows OS updates for AVD multi-session? Per MS article, “Windows Update for Business policies aren’t currently supported.” See last issue noted in below URL.
https://learn.microsoft.com/en-us/mem/intune/fundamentals/azure-virtual-desktop-multi-session#configuration-issues
Is there an alternative option for session hosts joined to Azure AD DS?
With Azure AD DS, this config doesn’t support hybrid joined so are there alternative options to enrol multi-session devices onto defender for endpoint?
Mike
How can we enroll, existing AVDs to Intune. AVD part of session host, Configured GPOs (MDM) , and enabled automatic enrollment from Intune.
The devices are not reflected to Intune portal, Please help with your input. The device joined to AzureAD.