Microsoft AVD device management and life cycle support with Intune and SCCM. Let’s discuss some AVD VM management stuff in this post.
The following details about AVD Windows 10 Multi-Session Intune Hybrid Azure AD support include many moving parts. I will try to keep this post up to date.
Read the latest updated post – Intune Support For Multi-Session Windows Server OS Version | AVD Workloads.
NOTE! This post is large to help you start testing AVD VM management. Ll (well, almost all) the points mentioned in the post “SCCM Intune Support for VDI Devices Persistent Non-Persistent” are still true.
NOTE! – Microsoft announced AVD is GA’d Generally Available. I’m expecting many exciting announcements in Microsoft Ignite 2019.
Access Work or School Option Missing?
I can’t find the Access Work or School option in Multi-session Windows 10 1903 version (Windows 10 Enterprise for Virtual Desktops Operating System). K, This is by design!
I think that makes more sense in a multi-session user scenario.
NOTE! – Why do I care about this option? o ahead and check the following post, “Manual way of Azure AD/Intune Enrollment.”
How to Perform Azure AD Registration for AVD Windows 10 Multi-Session VMs?
Let’s do the Azure AD device registration (Hybrid Azure AD Join) using group policies as these VMs are Domain Joined devices. ore details on the AVD/VDI supported scenario – Microsoft Documentation
With the AAD Token group policy setting, this AAD registration will help you register AVD multi-session VMs to Azure AD. This is also called “Hybrid Azure AD Join.”
This policy lets you configure how domain-joined computers become registered as devices.
When you enable this setting, domain-joined computers automatically and silently get registered as devices with Azure Active Directory.
Windows 10 or Windows 11 Multi-Session Intune Enrollment Options
I think the only Intune automatic enrollment option at the moment is to use the AD group policy mentioned below.
You might need to ensure that your AVD Multi-Session VM is already registered to Azure AD via the Hybrid Azure AD mechanism.
NOTE! – Maybe you can use some other automation mechanism via Azure ARM templates or Terraform in the future via Intune Graph API.
This Intune Enrollment Group policy setting works well with Windows 10 or Windows 11 Multi-session version available in Azure.
This policy specifies whether to attempt Intune Mobile Device Management (MDM) Enrollment. f Successful, the computer will be remotely managed by the Intune Server configured in AAD.
MDM will be left alone if you do not configure this policy setting. f you enable this policy setting, MDM Device will attempt to get an AAD token and, if so, will enroll with it using the URL configured in AAD
NOTE! – If you disable this policy setting, the Intune will be unenrolled.
\ Auto MDM Intune Enrollment – Multi-Session Intune Hybrid Azure AD support 3
List Group Policies Deployed for AVD Multi-Session
The following are how we can deploy Windows 10 or Windows 11 multi-session VMs to get Intune enrollment.
| Task | Setting | State | GPO Name |
| AADJ Registration | Register domain-joined computers as devices | Enabled | ACN-Device-MGMT-Windows 10 PC (WVD) Settings |
| Intune Enrollment | Auto MDM Enrollment with AAD Token | Enabled | ACN-Device-MGMT-Windows 10 PC (WVD) Settings |
Intune Company Portal for AVD Windows Multi-User
Yes, you can install the company portal. Ut I don’t recommend installing Intune company portal at this point with AVD Windows multi-user SKU.
I have seen issues with the Intune company portal when multiple users use the same Windows 10 VM.
NOTE! – I don’t think there will be many use cases to have an available application on nonpersistent multi-session VMs in the AVD world. Instead, we should look for MSIX AppAttach and App Masking for the above scenario.
The point is that Intune support statement is not out for multi-user SKU yet. I don’t know whether there will be any support statement about Intune and multi-session with AVD GA. I know AVD is GA’d now, and Microsoft hasn’t announced the support yet.
NOTE! – This device is already assigned to someone in your organization—contact company support about becoming the primary user. Ou can continue to use Company Portal, but functionality will be limited.
So, the problem with Intune company portal is user affinity. The AVD Windows 10 multi-session SKU should not work on primary user affinity.
I hope more details about Intune and AVD Windows 10 multi-session support will come out soon. You can still use Intune to manage AVD Windows 10 multi-session.
Intune Possibilities with Multi-Session
Core applications should be part of the core image or gold(en) image strategy. T’s not ideal (I think) to deploy core applications using Intune for non-persistence VMs in AVD world.
Scenario #1 – Required Assignment to Devices
I tested Intune policies and applications as required deployments to AVD Windows 10 multi-session. T works fine when you deploy applications and approaches to Azure AD devices.
I think this scenario will work and be supported officially at a later stage.
Scenario #2 – Required Assignment to Users
I tested Intune policies and applications as required deployments to users, and those users are logged into multi-user VMs.
Those apps and policies got successfully deployed to those VMs. I have not done any extended testing on this scenario. o, there could be complications, and this might not be a supported scenario.
Scenario #3 – Available Assignment
Do we need this scenario? s this useful in the real world?
The application & policies to AVD Windows 10 multi-session as available assignments are not feasible as per my experience.
This scenario might not be the supported one for AVD Windows 10 multi-session VMs.
Scenario #4 – Security Baseline Assignment to Multi-session
I also tested MDM Security Baseline for May 2019 deployment to AVD Windows 10 multi-session VMs. S per my test, it worked OK. However, the reporting has some glitches which I need to spend more time on.
I hope this will be sorted out soon. I would strongly recommend testing the MDM Security Baseline for May 2019 policies.
Pro Tip – Multi-Session Intune Hybrid Azure AD support
- Start testing AVD management with Microsoft Intune.
- Find out the best ways to manage your Azure AVD VMs.
- Raise feature requests with Intune and AVD team to improve the features of VM management.
- Wait for Azure AD and Intune official support announcement from Microsoft before starting big bang AVD management with Intune and Azure AD.
Resources
- AVD Video PlayList ➡➡https://aka.ms/WVDPlaylist
- AVD AMA 28th Aug 2019 Windows Virtual Desktop Microsoft AVD FAQs from AMA
- Microsoft VDI Story AVD Concept Setup Guide Myths Known Issues
- SCCM Intune Support for Persistent Nonpersistent VDI VMs
- How to Connect AVD Remote Desktop Resources Client or Browser?
Anoop, do you know if this is supported when using Azure Active Directory Domain Services and Azure AD instead of on-prem AD and Azure AD?
Multi session is not supported in both the scenarios. Azure AD joined device scenario is not supported for WVD VMs (for single session and Multi session). Only supported scenario is Hybrid Azure AD join. Even in Hybrid Azure AD join scenario Multi session is not supported. Same applies for Intune
Anoop, your blog post describes using Hybrid Azure AD join and Intune to manage Multi-User Win10, but you also mention in the comments that Hybrid join is not supported (also stated in MS documentation). Does this mean that Mutli-User Win10 is limited to the Domain Join & ConfigMgr management scenario at this time? Any idea when support for Azure AD Join will be added?
At the moment multi user support is not in place for Intune. The only way for large scale deployment of Multi user is MECM or ConfigMgr. Not sure about the timeline of Azure AD join which are publicly announced.
Hi,
After changing policy for Enrollment from compony portal its not letting to add device on AAD.
“add account operation is blocked by policy on the device” Cloud you bypass it?
I think we need to discuss this in details … can you try to ask question at the forum https://forum.howtomanagedevices.com
Hi Anoop C Nair
Need some guidance on Azure WVD solution integration with Citirx Control pane ( on-premise).
Can I setup a quick call pls or yo have any documents that i can refer
Note – i am looking to implement WVD using automation ( all script based )
Appreciate your help
Thanks
Suryakant
Anoop,
Is it possible to do Azure AD Join, in WVD with AAD-DS joined machines?
Our problem is that we are trying to get seamless authentication in WVD and cannot achieve that without Azure AD Join. I tried the steps in this article but it basically says AAD-DS is not setup for AD Join.
I wonder if you could setup Azure AD Connect on an Azure AD DS DC to achieve this?
Hi Anoop.
I have a persistent multi-session WinServer 2019 RDS on a local domain, approximately 15 users are connected to their virtual sessions.
Is it possible to do the Azure AD Hybrid join and manage the device in Intune?
I am still not clear if it is allowed for local environments.