Blog Post

Azure Virtual Desktop Blog
2 MIN READ

Intune device configuration for Azure Virtual Desktop multi-session VMs is now generally available

DavidBelanger's avatar
DavidBelanger
Icon for Microsoft rankMicrosoft
Apr 26, 2022

We're happy to announce that deploying Microsoft Intune device configuration from Microsoft Endpoint Manager admin center to Azure Virtual Desktop multi-session virtual machines (VMs) is now generally available. Intune already supports managing single session Azure AD-joined and Hybrid Azure AD-joined Azure Virtual Desktop VMs. You can now add multi-session VMs to the same management experience and deploy device-wide configurations to them. Intune is also the best solution for managing policy configuration on Azure AD-joined Azure Virtual Desktop multi-session VMs.

 

The following capabilities are now generally available on Azure Virtual Desktop with Intune:

  • Automatically enroll VMs in Intune when provisioning Azure AD-joined host pools so that they're provisioned, compliant, and ready to use when end-users access them.
  • Manage both single and multi-session VMs using the settings catalog in Microsoft Endpoint Manager admin center.
  • Increase your multi-session VMs’ security posture by applying configurations available under the Endpoint security blade, including Firewall and granular Antivirus policies.
  • Leverage Microsoft 365 security features like Conditional Access on the session hosts.
  • Assign applications configured to install in system context to multi-session VMs.
  • Manage device configuration for multi-session VMs created in the Azure Public and Azure Government (US GCC High and DoD environments) clouds.

Easily create new endpoint security policies, like you do for physical devices, by choosing the Windows 10, Windows 11, and Windows Server platform when creating the profile.

Getting started

This new functionality is available in the Intune 2204 release.

Learn more about the recommended ways to manage your Azure Virtual Desktop session hosts on our management page.

To get started, follow the instructions to use Azure Virtual Desktop multi-session with Intune which will guide you in creating new device configurations.

 

Stay tuned for news about the upcoming support for user scope policies.

Updated Aug 03, 2022
Version 2.0
  • Vinch_BE's avatar
    Vinch_BE
    Copper Contributor

    Thanks for this !

    How can we enroll existing Azure AD join VM into Intune ? ( we do not have check the box when deploying it).

  • mikepiet's avatar
    mikepiet
    Brass Contributor

    Great, now just get MSIX AppAttach working with AAD joined AVDs.

  • Ashkb we're actively working on enabling support for policies requiring vTPM and Secure Boot. At this time, you'd need to exclude multi-session VMs from existing compliance policies and create a new policy without those settings so your devices don't become non-compliant. To exclude, you could either put multi-session VMs in an AAD group or create a Filter for the multi-session SKU and exclude from the assignment. We also recommend using Azure Disk Encryption until we've optimized BitLocker for AVD VMs.

  • MaximSokoloff configuring FSLogix using Intune isn't available just yet but is something we are working on as we've received many requests for it. Similarly, we are working on enabling security baselines and plan to have it available later this year.

  • MaximSokoloff's avatar
    MaximSokoloff
    Brass Contributor

    Hi DavidBelanger , can you guys provide some info or update whether configuring FSLOGIX settings is supported via Intune or not ?  not clear ..

    Also, same question regarding applying security baselines to AVD multisession via Intune,

    TIA

  • Ashkb's avatar
    Ashkb
    Brass Contributor

    Having an issue with the AVD. They become non compliant after some time. However, the other machine is working fine. When we check the non compliant machine it throws an error for bitlocker. Is there anything to with TPM here ? we have it enabled already.