Forum Widgets
Latest Discussions
Improper AVD Host Decommissioning – A Practical Governance Framework
Hi everyone, After working with multiple production Azure Virtual Desktop environments, I noticed a recurring issue that rarely gets documented properly: Improper host decommissioning. Scaling out AVD is easy. Scaling down safely is where environments silently drift. Common issues I’ve seen in the field: Session hosts deleted before drain completion Orphaned Entra ID device objects Intune-managed device records left behind Stale registration tokens FSLogix containers remaining locked Defender onboarding objects not cleaned Host pool inconsistencies over time The problem is not technical complexity. It’s lifecycle governance. So I built a structured approach to host decommissioning focused on: Drain validation Active session verification Controlled removal from host pool VM deletion sequencing Identity cleanup validation Registration token rotation Logging and execution safety I’ve published a practical framework here: The framework is fully documented and includes validation logic and logging. https://github.com/modernendpoint/AVD-Host-Decommission-Framework The goal is simple: Not just removing a VM — but preserving platform integrity. I’m curious: How are you handling host lifecycle management in your AVD environments? Fully automated? Manual? Integrated with scaling plans? Identity cleanup included? Would love to hear how others approach this. Menahem Suissa AVD | Intune | Identity-Driven ArchitectureAzure’s Default Outbound Access Changes: Guidance for Azure Virtual Desktop Customers
After March 31, 2026, newly created Azure Virtual Networks (VNets) will no longer have default outbound internet access (DOA) enabled by default. Azure Virtual Desktop customers must configure outbound connectivity explicitly when setting up new VNets. This post explains what’s changing, who’s impacted, and the recommended actions, including Private Subnets. What is Default Outbound Access (DOA)? Default Outbound Access is Azure’s legacy behavior that allowed all resources in a virtual network to reach the public internet without configuring a specific internet egress path. This allowed telemetry, Windows activation, updates, and other service dependencies to reach external endpoints even when no explicit outbound connectivity method was configured. What’s changing? After March 31, 2026, as detailed in Azure’s communications, Azure will no longer enable DOA by default for new virtual networks. Instead, the VNet will be configured for Private Subnet option, allowing you to designate subnets without internet access for improved isolation and compliance. These changes encourage more intentional, secure network configurations while offering flexibility for different workload needs. Disabling Private Subnet option will allow administrators to restore DOA capabilities to the VNet, although Microsoft strongly recommends using NAT Gateway to provide outbound Internet access for session hosts. Impact on Azure Virtual Desktop Customers For Azure Virtual Desktop deployments created after March 31, 2026, outbound internet access must be explicitly configured, otherwise deployment and connectivity of the Session Hosts will fail. Existing VNets remain unaffected and will continue to use the configured internet access method. What You Should Do To prepare for Azure’s Default Outbound Access changes and ensure your Azure Virtual Desktop deployments remain secure and functional. Recommendations Update deployment plans to ensure either an explicit NAT, such as a NAT Gateway or Default Outbound access (not recommended) is enabled by disabling the Private Subnet option. Test connectivity to ensure all services dependent on outbound access continue to function as expected. Supported Outbound Access Methods To maintain connectivity, choose one of these supported methods: NAT Gateway (recommended) Note: Direct RDP Shortpath (UDP over STUN) cannot be established through a NAT Gateway because its symmetric NAT policy prevents direct UDP connectivity over public networks. Azure Standard Load Balancer Public IP address on a VM Azure Firewall or third-party Network Virtual Appliance (NVA). Note, it is not recommended to route RDP or other long-lived connections through Azure Firewall or any other network virtual appliance which allows for automatic scale-in. A direct method such as NAT Gateway should be used. More information about the pros and cons of each method can be found at Default Outbound Access. Resources: Azure updates | Microsoft Azure Default Outbound Access in Azure Transition to an explicit method of public connectivity| Microsoft Learn Quickstart: Create a NAT Gateway Quick FAQ Does this affect existing VNets? No. Only VNets created after March 31, 2026, are affected. Existing VNets will continue to operate as normal. What if I do nothing on a new VNet? Host pool deployment will fail, and connectivity will fail because the VNet does not have internet access. Configure NAT Gateway or another supported method before starting a host pool deployment. Why do Azure Virtual Desktop session hosts need outbound internet access? Many Azure Virtual Desktop functions depend on the session host having outbound access to Microsoft services. Without configuring NAT Gateway or another supported method of explicit outbound for the VNet, Azure Virtual Desktop will not deploy or function correctly. What are the required endpoints? Please see https://learn.microsoft.com/azure/virtual-desktop/required-fqdn-endpoint?tabs=azure for a list of the endpoints required. Why might peer-to-peer connectivity using STUN-based UDP hole punching not work when using NAT Gateway? NAT Gateway uses a type of network address translation that does not support cone symmetric NAT behavior. This can prevent STUN (Simple Traversal Underneath NAT) based UDP hole punching, commonly used for establishing peer-to-peer connections, from working as expected. If your application relies on reliable UDP connectivity between peers, STUN may revert to TURN (Traversal Using Relays around NAT) in some instances. TURN relays traffic between endpoints, ensuring consistent connectivity even when direct peer-to-peer paths are blocked. This helps maintain smooth real-time experiences for your users. What explicit outbound options support STUN? Azure Standard Load Balancer supports UDP over STUN. How do I configure Azure Firewall? For additional security you can configure Azure Firewall using these instructions: https://learn.microsoft.com/en-us/azure/firewall/protect-azure-virtual-desktop?context=/azure/virtual-desktop/context/context . It is strongly recommended that a direct method of access is used for RDP and other long-lived connections such as VPN or Secure Web Gateway tunnels. This is due to devices such as Azure firewall scaling in when load is low which can disrupt connectivity. Wrap-up Azure’s change reinforces intentional networking for better security. By planning explicit egress, Azure Virtual Desktop customers can stay compliant and keep session hosts reliably connected.TURN relay regional expansion for Azure Virtual Desktop
TURN (Traversal Using Relays around NAT) enables devices behind firewalls to establish reliable UDP connections. With RDP Shortpath for public networks, TURN acts as a fallback when a direct UDP-based connection isn’t possible—ensuring low-latency, high-reliability remote desktop sessions. Starting June 15, 2025, we are launching a dedicated TURN relay IP range across the Microsoft Azure public cloud. This new range—51.5.0.0/16—enhances RDP Shortpath connectivity and delivers faster, more reliable performance for Azure Virtual Desktop and Windows 365 users in 40 regions worldwide. For the full list of supported regions and guidance on how to plan for this change, read the full announcement: Expanded TURN relay regions for Windows 365 and Azure Virtual Desktop
Teams Optimization Crashes Windows App on macOS (AVD)
Summary: When using the Windows App for macOS (from App Store) to connect to Azure Virtual Desktop, enabling Teams Media Optimization causes the app to crash when joining or receiving a Teams call. Started about 3 weeks ago. Environment: App: Windows App for macOS App Version: 11.1.4 (Build 2557) - (I have also experienced this on 11.0.4 on another MBP M1 Max laptop I have.) macOS: 15.3.2 (Seqouia) Mac: MacBookPro18,1 (Apple Silicon) AVD Host: Windows 11, Teams (new client), Media Optimization enabled Crash Log: *** -[__NSArrayM objectAtIndexedSubscript:]: index 0 beyond bounds for empty array Type: NSRangeException Signal: SIGABRT Stack trace points to redirection plugin initialization Happens onlywhen Teams optimization is enabled Console Errors (macOS): BASIX_DCT(WARN): Not firing OnClosed on an object already closed. Stateful object was destructed while in state Opened(19) VirtualChannelEntryEx failed MSCOMVC plugin failed to load Repro Steps: Use a Mac with Continuity Camera or External webcam (in my case, Logitech Brio) Launch Windows App for macOS Connect to AVD session with Teams optimization enabled Initiate or receive a Teams call App crashes with SIGABRT Workarounds: ❌ Disabling UDP and device redirection has no effect. ⚠️ Disabling Teams Optimization prevents the crash. Far from ideal because now my audio and video quality are degraded when using teams on AVD (and my organization requires "camera on" for meetings 🔍 Relevant Log Snippets from macOS Console & Windows App (Teams Optimization Crash) ✅ Camera Enumeration Warning system_profiler SPCameraDataType Model ID: UVC Camera VendorID_1086 ProductID_39501 Model ID: FaceTime HD Camera Model ID: iPhone14,2 Continuity Camera detected alongside External Webcam and internal FaceTime camera. ⚠️ macOS Console Log BASIX_DCT(WARN): Not firing OnClosed on an object 0x11798e400 which is already closed. Happens right before crash — indicates plugin channel was torn down unexpectedly. 💥 Objective-C Crash Report exceptionReason : { "name":"NSRangeException", "type":"objc-exception", "composed_message":"*** -[__NSArrayM objectAtIndexedSubscript:]: index 0 beyond bounds for empty array", "class":"NSException" } Plugin crashes when accessing a camera/mic array that was unexpectedly empty. 🔗 Windows App RDC Log (DynVC Activity + Plugin Crash) DynVC.cpp(686): InvokeCallback() ...Sending up 6650 bytes VirtualChannelEntryEx failed Failed to load MSCOMVC plugin, maybe not enabled Stateful object 0x1218b4018 was destructed while in state Opened(19) AV redirection plugin begins initializing, then fails midstream. Memory cleanup errors confirm improper plugin teardown. 📉 Diagnostic Upload Failures FlushTracesInternal() is called before BeginUpload(). we don't have a claims token yet and thus can't generate sass token. cancelling flush Shows why Microsoft likely isn’t receiving telemetry unless the user manually reports. These logs help pinpoint the crash to Teams AV plugin failure in the Windows App on macOS, triggered by improper handling of macOS camera/mic devices (especially Continuity Camera or UVC) when Teams Optimization is enabled.[On demand] Azure Virtual Desktop hostpool management at scale
Need to dynamically scale Azure Virtual Desktop session hosts to meet your usage needs? Watch Azure Virtual Desktop hostpool management at scale – now on demand – and join the conversation at https://aka.ms/AVDHostpoolManagement. To help you learn more, here are the links referenced in the session: Watch Azure Virtual Desktop: Everything You Need to Know to explore the full capabilities of Azure Virtual Desktop! For more free technical skilling on the latest in Windows, Windows in the cloud, and Microsoft Intune, view the full Microsoft Technical Takeoff session list.[On demand] Azure Virtual Desktop app management
Flexibility, scalability, and seamless integration within Windows environments in the cloud. See how App Attach with Azure Virtual Desktop supports MSIX, App-V, and other solutions. Watch Azure Virtual Desktop app management – now on demand – and join the conversation at https://aka.ms/AVDAppManagement. To help you learn more, here are the links referenced in the session: Framework packages can be added to a custom image via scripts to prepare for any MSIX package. The script to install MSIX frameworks can be found here. For more free technical skilling on the latest in Windows, Windows in the cloud, and Microsoft Intune, view the full Microsoft Technical Takeoff session list.Tips for your migration to Azure Virtual Desktop
Want to migrate and onboard Windows through Cloud Virtual Desktop Infrastructure (VDI) with Azure Virtual Desktop? Explore the key decisions and considerations you’ll need to make in this process. What are the deployment options? What are some migration principles to keep in mind? By the end this on demand session, you will have answers and a firm understanding on your next steps with your Azure Virtual Desktop journey. See it all at Accelerate your migration to Windows 365 and Azure Virtual Desktop.News and best practices for securing Cloud Virtual Desktop Infrastructures (VDI)
Have Cloud VDIs? Looking to take secure productivity to the next level? Learn more about passwordless authentication and shorter multifactor authentication cycles! Get all the news on latest investments, best practices, and strategies for securing identity, access, and data in the cloud. More specifically, dive into secure access, Security Aggregation, Microsoft Purview with DLP Support, a demo on enabling single sign-on, and customer Lockbox approval workflow. See all the tips, tricks, and news at Securing Windows in the cloud: a practical approach for Cloud PCs & Cloud VDI.
¿Cómo llamar al teléfono United México?::-
Para marcar al teléfono United Airlines México llame aquí +52 -55 8526 3538 / +52 -55 8526 3538 Atención al cliente de esta aerolínea está abierto 24*7 horas para ayudar a los clientes de United Airlines México. por teléfono puede hacer el cambio de vuelo. dejar abiertos los billetes, con los ejecutivos de aerolíneas United México. pacosIpad RD Client, Keyboard in app Shortcuts problems
Was redirected here, original post: https://techcommunity.microsoft.com/t5/azure-virtual-desktop-feedback/ipad-rd-client-keyboard-in-app-shortcuts-problems/idi-p/4182429 Hello, So here is the problem I face: My keyboard is working perfectly fine whenever I use it regurlarly, however, there seem to have problem when using shortcuts in apps. Like, most of the time, I must to Ctrl + w instead of Ctrl + Z for having the Ctrl + Z working. I Have a french keyboard, AZERTY, and it looks like the shortcuts are swapped? There are problem with those in different apps in any case; Seenda keyboard. Also, problem when using Blender, I did dug up an old post (https://techcommunity.microsoft.com/t5/azure-virtual-desktop-feedback/blender-does-not-recognize-keyboard-input-with-rdclient-for-ipad/idc-p/4182412#M3302) since I have the same problem, but will put it there too, but it seems that alphabetical and numerical inputs are not sent at all while using this program. (Also, when moving things around in the viewport with middle mouse button, the stream freeze while moving and can't see how it update live, which is bothering (EDIT: Other problem that will be adressed in another post).) Seems to be 3D apps in general? 3D Coat doesn't register shortcut either (tried enter, and Alphabetical). Windows 11 on laptop Ipad is 3rd gen 12", IpadOs 17.5.1
