WVD Windows 10 Multi-Session Intune Hybrid Azure AD Support

0
Multi-Session Intune Hybrid Azure AD support

Microsoft WVD device management and life cycle support with Intune and SCCM. Lets discuss about some WVD VM management stuff in this post. The following details about WVD Windows 10 Multi-Session Intune Hybrid Azure AD support includes many moving parts. I will try to keep this post up to date.

NOTE! – This post is largely to help you to start the testing of WVD VM management. All (well almost all) the points mentioned in the post “SCCM Intune Support for VDI Devices Persistent Non Persistent” are still true.

NOTE! – Microsoft announced WVD is GA’d Generally Available. I’m expecting many exciting announcements in Microsoft Ignite 2019.

TL;DR

Access Work of School Option Missing?

I can’t find Access Work or School option in Multi-session Windows 10 1903 version (Windows 10 Enterprise for Virtual Desktops Operating System). OK, This is by design! I think that makes more sense in a multi-session user scenario.

NOTE! – Why do I care about this option? Go ahead and check the following post “Manual way of Azure AD/Intune Enrollment.”

WVD Multi-Session Intune Hybrid Azure AD support
Access Work or School – Multi-Session Intune Hybrid Azure AD support

How to Perform Azure AD Registration for WVD Windows 10 Multi Session VMs?

Lets do the Azure AD device registration (Hybrid Azure AD Join) using group policies as these VMs are Domain Joined devices. More details on the WVD/VDI supported scenario – Microsoft Documentation here.

Multi-Session Intune Hybrid Azure AD support
Multi-Session Intune Hybrid Azure AD support

This AAD registration with AAD Token group policy setting will help you to register WVD multi session VMs to Azure AD this is also called “Hybrid Azure AD Join.” Essentially, this policy lets you configure how domain joined computers become registered as devices.

When you enable this setting, domain joined computers automatically and silently get registered as devices with Azure Active Directory.

Auto AAD Registration Environment - Multi-Session Intune Hybrid Azure AD support
Multi-Session Intune Hybrid Azure AD support

Windows 10 Multi-Session Intune Enrollment Options

I think the only Intune automatic enrollment option at the moment is to use AD group policy mentioned below. You might need to make sure that your WVD Multi-Session VM is already registered to Azure AD via Hybrid Azure AD mechanism.

NOTE! – May be you can use some other automation mechanism via Azure ARM templates or Terraform in the future via Intune Graph API.

This Intune Enrollment Group policy setting works well with Windows 10 Multi-session version which is available in Azure. This policy specifies whether to attempt Intune Mobile Device Management (MDM) Enrollment. If Successful, the computer will remotely managed by the Intune Server configured in AAD.

If you do not configure this policy setting, MDM will be left alone. If you enable this policy setting, MDM Device will attempt to get an AAD token, and if so, will enroll with it using the URL configured in AAD

NOTE! – If you disable this policy setting the Intune will be unenrolled.

Auto MDM Intune Enrollment - Multi-Session Intune Hybrid Azure AD support
Auto MDM Intune Enrollment Multi-Session Intune Hybrid Azure AD support

List Group Policies Deployed for WVD Multi Session

The following are the setting which we can deploy Windows 10 multi-session VMs to get Intune enrollment.

TaskSettingStateGPO Name
AADJ RegistrationRegister domain joined computers as devicesEnabledACN-Device-MGMT-Windows 10 PC (WVD) Settings
Intune EnrollmentAuto MDM Enrollment with AAD TockenEnabledACN-Device-MGMT-Windows 10 PC (WVD) Settings

Intune Company Portal for WVD Windows Multi-User

Yes you can install company portal. But I don’t recommend installing Intune company portal at this point of time with WVD Windows multi-user SKU. I have seen issues with Intune company portal when multiple users are using the same Windows 10 VM.

NOTE! – I don’t think there will be many use cases to have available application on non persistent multi-session VMs in WVD world. Instead we should look for MSIX AppAttach and App Masking for the above mentioned scenario.

The point is that Intune support statement is not out for multi-user SKU yet. I don’t know whether there will be any support statement about Intune and multi session with WVD GA. I know WVD is GA’d now and Microsoft didn’t announce the support yet.

NOTE! – This device is already assigned to someone in your organization. Contact company support about becoming the primary user. You can continue to use Company Portal but functionality will be limited.

ti-Session Intune Hybrid Azure AD support  - Your IT admin didn't make any apps available to you
Multi-Session Intune Hybrid Azure AD support – Your IT admin didn’t make any apps available to you

So, the problem with Intune company portal is user affinity. The WVD Windows 10 multi-session SKU should not work on primary user affinity. I hope more details about Intune and WVD Windows 10 multi-session support will come out soon. Until then, you can still use Intune to manage WVD Windows 10 multi-session.

Intune Possibilities with Multi-Session

Core applications should be part of core image or gold(en) image strategy. It’s not ideal (I think) to deploy core applications using Intune for non-persistence VMs in WVD world.

Scenario #1 – Required Assignment to Devices

I tested Intune policies and applications as required deployments to WVD Windows 10 multi-session. It works fine when you deploy application and policies to Azure AD devices. I think this scenario will work and will be supported officially at the later stage.

 Multi-Session Intune Hybrid Azure AD support - Required Apps Targeted to Device Groups
Multi-Session Intune Hybrid Azure AD support – Required Apps Targeted to Device Groups

Scenario #2 – Required Assignment to Users

I tested Intune policies and application as required deployments to users and those users are logged into multi-user VMs. Those apps and policies got successfully deployed to those VMs. But, I have not done any extended testing on this scenario. So, there could be complications and this might not be a supported scenario.

Scenario #3 – Available Assignment

Do we really need this scenario? Is this useful in real world? The application & policies to WVD Windows 10 multi-session as available assignments are not really feasible as per my experience. This scenario might not be the supported one for WVD Windows 10 multi-sessions VMs.

Scenario #4 – Security Baseline Assignment to Multi-session

I also tested MDM Security Baseline for May 2019 deployment to WVD Windows 10 multi-session VMs. As per my tested it worked OK. However the reporting has some glitches which I need to spend more time.

I hope this will be sorted out soon. But, I would strongly recommend testing the MDM Security Baseline for May 2019 policies.

Multi-Session Intune Hybrid Azure AD support
Multi-Session Intune Hybrid Azure AD support

Pro Tip – Multi-Session Intune Hybrid Azure AD support

  • Start testing WVD management with Microsoft Intune.
  • Find out the best ways to manage your Azure WVD VMs.
  • Raise feature requests with Intune and WVD team to improve the features of VM management.
  • Wait for Azure AD and Intune official support announcement from Microsoft before starting big bang WVD management with Intune and Azure AD.

Resources

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.