Microsoft AVD device management and life cycle support with Intune and SCCM. Let’s discuss some AVD VM management stuff in this post. The following details about AVD Windows 10 Multi-Session Intune Hybrid Azure AD support include many moving parts. I will try to keep this post up to date.
Read the latest updated post – Intune Support For Multi-Session Windows Server OS Version | AVD Workloads.
NOTE! – This post is large to help you to start the testing of AVD VM management. All (well almost all) the points mentioned in the post “SCCM Intune Support for VDI Devices Persistent Non-Persistent” are still true.
NOTE! – Microsoft announced AVD is GA’d Generally Available. I’m expecting many exciting announcements in Microsoft Ignite 2019.
Access Work or School Option Missing?
I can’t find the Access Work or School option in Multi-session Windows 10 1903 version (Windows 10 Enterprise for Virtual Desktops Operating System). OK, This is by design! I think that makes more sense in a multi-session user scenario.
NOTE! – Why do I care about this option? Go ahead and check the following post “Manual way of Azure AD/Intune Enrollment.”
How to Perform Azure AD Registration for AVD Windows 10 Multi Session VMs?
Lets do the Azure AD device registration (Hybrid Azure AD Join) using group policies as these VMs are Domain Joined devices. More details on the AVD/VDI supported scenario – Microsoft Documentation here.
This AAD registration with AAD Token group policy setting will help you to register AVD multi session VMs to Azure AD this is also called “Hybrid Azure AD Join.” Essentially, this policy lets you configure how domain joined computers become registered as devices.
When you enable this setting, domain joined computers automatically and silently get registered as devices with Azure Active Directory.
Windows 10 or Windows 11 Multi-Session Intune Enrollment Options
I think the only Intune automatic enrollment option at the moment is to use AD group policy mentioned below. You might need to make sure that your AVD Multi-Session VM is already registered to Azure AD via Hybrid Azure AD mechanism.
NOTE! – May be you can use some other automation mechanism via Azure ARM templates or Terraform in the future via Intune Graph API.
This Intune Enrollment Group policy setting works well with Windows 10 or Windows 11 Multi-session version which is available in Azure. This policy specifies whether to attempt Intune Mobile Device Management (MDM) Enrollment. If Successful, the computer will remotely managed by the Intune Server configured in AAD.
If you do not configure this policy setting, MDM will be left alone. If you enable this policy setting, MDM Device will attempt to get an AAD token, and if so, will enroll with it using the URL configured in AAD
NOTE! – If you disable this policy setting the Intune will be unenrolled.
List Group Policies Deployed for AVD Multi Session
The following are the setting which we can deploy Windows 10 or Windows 11 multi-session VMs to get Intune enrollment.
Task | Setting | State | GPO Name |
AADJ Registration | Register domain joined computers as devices | Enabled | ACN-Device-MGMT-Windows 10 PC (WVD) Settings |
Intune Enrollment | Auto MDM Enrollment with AAD Tocken | Enabled | ACN-Device-MGMT-Windows 10 PC (WVD) Settings |
Intune Company Portal for AVD Windows Multi-User
Yes you can install company portal. But I don’t recommend installing Intune company portal at this point of time with AVD Windows multi-user SKU. I have seen issues with Intune company portal when multiple users are using the same Windows 10 VM.
NOTE! – I don’t think there will be many use cases to have available application on non persistent multi-session VMs in AVD world. Instead we should look for MSIX AppAttach and App Masking for the above mentioned scenario.
The point is that Intune support statement is not out for multi-user SKU yet. I don’t know whether there will be any support statement about Intune and multi-session with AVD GA. I know AVD is GA’d now and Microsoft didn’t announce the support yet.
NOTE! – This device is already assigned to someone in your organization. Contact company support about becoming the primary user. You can continue to use Company Portal but functionality will be limited.
So, the problem with Intune company portal is user affinity. The AVD Windows 10 multi-session SKU should not work on primary user affinity. I hope more details about Intune and AVD Windows 10 multi-session support will come out soon. Until then, you can still use Intune to manage AVD Windows 10 multi-session.
Intune Possibilities with Multi-Session
Core applications should be part of core image or gold(en) image strategy. It’s not ideal (I think) to deploy core applications using Intune for non-persistence VMs in AVD world.
Scenario #1 – Required Assignment to Devices
I tested Intune policies and applications as required deployments to AVD Windows 10 multi-session. It works fine when you deploy application and policies to Azure AD devices. I think this scenario will work and will be supported officially at the later stage.
Scenario #2 – Required Assignment to Users
I tested Intune policies and application as required deployments to users and those users are logged into multi-user VMs. Those apps and policies got successfully deployed to those VMs. But, I have not done any extended testing on this scenario. So, there could be complications and this might not be a supported scenario.
Scenario #3 – Available Assignment
Do we really need this scenario? Is this useful in real world? The application & policies to AVD Windows 10 multi-session as available assignments are not really feasible as per my experience. This scenario might not be the supported one for AVD Windows 10 multi-sessions VMs.
Scenario #4 – Security Baseline Assignment to Multi-session
I also tested MDM Security Baseline for May 2019 deployment to AVD Windows 10 multi-session VMs. As per my tested it worked OK. However the reporting has some glitches which I need to spend more time.
I hope this will be sorted out soon. But, I would strongly recommend testing the MDM Security Baseline for May 2019 policies.
Pro Tip – Multi-Session Intune Hybrid Azure AD support
- Start testing AVD management with Microsoft Intune.
- Find out the best ways to manage your Azure AVD VMs.
- Raise feature requests with Intune and AVD team to improve the features of VM management.
- Wait for Azure AD and Intune official support announcement from Microsoft before starting big bang AVD management with Intune and Azure AD.
Resources
- AVD Video Play List ➡➡https://aka.ms/WVDPlaylist
- AVD AMA 28th Aug 2019 Windows Virtual Desktop Microsoft AVD FAQs from AMA
- Microsoft VDI Story AVD Concept Setup Guide Myths Known Issues
- SCCM Intune Support for Persistent Non-Persistent VDI VMs
- How to Connect AVD Remote Desktop Resources Client or Browser?
Anoop, do you know if this is supported when using Azure Active Directory Domain Services and Azure AD instead of on-prem AD and Azure AD?
Multi session is not supported in both the scenarios. Azure AD joined device scenario is not supported for WVD VMs (for single session and Multi session). Only supported scenario is Hybrid Azure AD join. Even in Hybrid Azure AD join scenario Multi session is not supported. Same applies for Intune
Anoop, your blog post describes using Hybrid Azure AD join and Intune to manage Multi-User Win10, but you also mention in the comments that Hybrid join is not supported (also stated in MS documentation). Does this mean that Mutli-User Win10 is limited to the Domain Join & ConfigMgr management scenario at this time? Any idea when support for Azure AD Join will be added?
At the moment multi user support is not in place for Intune. The only way for large scale deployment of Multi user is MECM or ConfigMgr. Not sure about the timeline of Azure AD join which are publicly announced.
Hi,
After changing policy for Enrollment from compony portal its not letting to add device on AAD.
“add account operation is blocked by policy on the device” Cloud you bypass it?
I think we need to discuss this in details … can you try to ask question at the forum https://forum.howtomanagedevices.com
Hi Anoop C Nair
Need some guidance on Azure WVD solution integration with Citirx Control pane ( on-premise).
Can I setup a quick call pls or yo have any documents that i can refer
Note – i am looking to implement WVD using automation ( all script based )
Appreciate your help
Thanks
Suryakant
Anoop,
Is it possible to do Azure AD Join, in WVD with AAD-DS joined machines?
Our problem is that we are trying to get seamless authentication in WVD and cannot achieve that without Azure AD Join. I tried the steps in this article but it basically says AAD-DS is not setup for AD Join.
I wonder if you could setup Azure AD Connect on an Azure AD DS DC to achieve this?