Forum Widgets
Latest Discussions
Optimizing RDP Connectivity for Windows 365
Updated with RDP & Zscaler connectivity improvements February 2025 The use of VPN or Secure Web Gateway (SWG) client software or agents to provide tunneled access to on-premises resources in addition to providing protected internet access via a cloud based Secure Web Gateway (SWG) or a legacy VPN & on-premises proxy path is very commonly seen in Windows 365 and AVD deployments. This is especially the case when deployed in the recommended Windows 365 with Microsoft Hosted Network (MHN) model where the Cloud PC is located on a network with direct, open high-speed internet available. The more modern, cloud based SWG solutions fit perfectly with this modern Zero-Trust approach and generally perform at a higher level than traditional VPN software, where internet browsing is hairpinned through on-premises proxies and back out to the internet. As we have many Windows 365 customers using such solutions as part of their deployment, there are some specific configuration guidelines which are outlined in this post which Microsoft recommends are applied to optimize key traffic and provide the highest levels of user experience. What is the Problem? Many of these VPN/SWG solutions build a tunnel in the user context, which means that when a user logs in to their device, the service starts and creates the tunnels required to provide both internet and private access as defined for that user. With a physical device the tunnel is normally up and running before or shortly after the user sees their desktop on screen, meaning they can then quickly get on with their work without noticing its presence. However, as with any virtualized device which needs a remote connection to access, the above model poses several challenges: 1. Additional Latency Firstly, the remote desktop traffic is latency sensitive, in that delay to the traffic reaching its destination can easily translate into a poor user experience, with lag on actions and desktop display. Routing this traffic through a tunnel to an intermediary device to reach its destination adds latency and can restrict throughput regardless of how well configured or performing said device is. Modern SWG solutions tend to perform at a much higher levels than a traditional VPN/Proxy approach, but the highest level of experience is always achieved through a direct connection and avoiding any inspection or intermediary devices. Much like Teams media traffic, the RDP traffic in the Windows 365 case should be routed via the most optimal path between the two endpoints so as to deliver the very highest levels of performance, this is almost always the direct path via the nearest network egress. From a Cloud PC side this also means the traffic never leaves Microsoft’s managed network if directly egressed. 2. RDP Connection Drops An additional challenge comes from the use of user-based tunnels. As the user initiates a connection to the Cloud PC, the connection reaches the session host without issue and the user successfully sees the initial logon screen. However, once the user login starts, and the client software then builds the tunnels to the SWG/VPN for the user, the user then experiences a freeze of the login screen. The connection then drops, and we have to go through the reconnection process to re-establish the connection to the Cloud PC. Once this is complete, the user can successfully use the Cloud PC without further issue. Users however may also experience disconnects of the remote session if there is any issue with the tunnel, for example if the tunnel temporarily drops for some reason. Overall, this doesn’t provide a great user experience with the Cloud PC, especially on initial login. Why does this occur? It occurs because the tunnels built to route internet traffic to the SWG generally capture all internet bound traffic unless configured not to do so, a forced tunnel or ‘Inverse split tunnel’. This means the initial login works without issue but as soon as this tunnel is established upon user logon, the RDP traffic gets transferred into it and as it’s a new path, requires reconnecting. Equally, as the traffic is inside this tunnel, if the tunnel drops momentarily and needs to reconnect, this also causes the RDP session to require reconnecting inside the re-established tunnel. In the diagram below, you can see a simplified representation of this indirect connectivity approach with a forced tunnel in place. RDP traffic has to traverse the VPN/SWG resources before hitting the gateway handling the traffic. Whilst this is not a problem for less sensitive traffic and general web browsing, for latency critical traffic such as Teams and the RDP traffic, it is non-optimal. What’s the Solution? Microsoft strongly recommends implementing a forced tunnel exception for the critical RDP traffic which means that it does not enter the tunnel to the SWG or VPN gateway and is instead directly routed to its destination. This solves both of the above problems by providing a direct path for the RDP traffic and also ensuring it isn’t impacted by changes in the tunnel state. This is the same model as used by specific ‘Optimize’ marked Office 365 traffic such as Teams media traffic. On the Cloud PC side this also means this traffic never leaves Microsoft’s managed network. What exactly do I need to bypass from these tunnels? Previously, solving this problem meant significant complexity due to the large number of IP addresses required to configure optimization for this RDP traffic, we provided a script as part of this blog to assist with collecting and formatting these IPs. I'm pleased to share that Microsoft has invested in an extensive and complex piece of work to solve this challenge by building a new, upgraded global gateway infrastructure to allow it to be addressed from a single subnet. In addition to that simplification that we have planned so that this subnet should not see any regular change, abstracting customers from change as we scale the infrastructure and add new regions in future. As of February 2025, this work has now been completed and the old infrastructure decommissioned, this was all completed with zero downtime for our customers. This now allows RDP based traffic to now be covered by two single subnets rather than many hundred as previously was the case. There are further improvement works due to be delivered in the coming months for UDP based RDP to provide new dedicated and globally scaled TURN infrastructure. This post will be updated when this is complete and RDP connectivity is therefore in its final and complete, simplified and secured state. These temporary elements are: The WindowsVirtualDesktop service tag Is now up to date as of 19th March 2025 which all decommissioned IPs removed. 2. UDP based RDP via TURN is currently using the subnet 20.202.0.0/16 but will switch to 51.5.0.0/16 in H1 CY25. The new, dedicated subnet is in the WindowsVirtualDesktop service tag but the current one (20.202.0.0/16) is not, so will manually need to be added to current bypass configuration if desired. More on this can be found in this post. This work will also vastly expand our global TURN relay availability. Today this is only available when the physical device is in the vicinity of these Azure regions. RDP based Connectivity bypass: As of February 2025, the critical traffic which carries RDP is contained within the following simplified endpoints: RDP Endpoints for Optimization Row Endpoint Protocol Port Purpose 1 *.wvd.microsoft.com TCP 443 Core TCP based RDP and other critical service traffic 2 40.64.144.0/20 TCP 443 Core TCP based RDP 3 20.202.0.0/16 UDP 3478 Core UDP based RDP via TURN - Current 4 51.5.0.0/16 UDP 3478 Core UDP based RDP via TURN – Future (Currently not in use) Please see this article for more information on rows 3 & 4 In some network equipment/software we can configure bypass using FQDNs and wildcard FQDNs alone, and we’d recommend that this method (row 1) is used in addition to the IP based rules if possible. However, some solutions do not allow the use of wildcard FQDNs so it’s common to see only IP addresses used for this bypass configuration. In this case you can use the newly simplified rows 2 & 3 in the table above, making sure row 1 is still accessible via the SWG/Proxy. We also recommend row 4 is also added to manually configured optimizations to ensure this is also optimized when it comes into use in the coming months. There are also a small number of other endpoints which should be bypassed on the Cloud PC side. Other required VPN/SWG bypass requirements: Other endpoints for Optimization Row Endpoint Protocol Port Purpose 5 azkms.core.windows.net TCP 1688 Azure KMS - Traffic Needs to arrive from Azure public IPs 6 169.254.169.254 TCP 80 Azure Fabric communication 7 168.63.129.16 TCP 80 Azure Fabric communication These additional bypass requirements (5-7) are not RDP related but are required for the following reasons: Row 5 – This is Azure KMS activation which is a required endpoint for a Cloud PC and AVD Session Hosts. The traffic for this needs to arrive from an Azure public IP, if not then the connection will not be successful. Therefore it should not be sent via a 3 rd party internet egress such as via an SWG or proxy. IP addresses corresponding to the FQDN can be found via the link above if required. Rows 6 & 7 – These are critical IP addresses used to communicate to the Azure Fabric to operate the VM. We need to ensure these are not inadvertently sent in any VPN/SWG tunnel where they will not be then able to reach their destination in Azure. How do I implement the RDP bypass in common VPN/SWG solutions? Microsoft is working with several partners in this space to provide bespoke guidance and we’ll add detailed guidance for other solutions here as we get them confirmed. Already available however is Zscaler ZIA. Zscaler Client Connector The changes outlined above should make configuration in all scenarios vastly simpler moving forward. Due to some fantastic work to assist our mutual customers by our friends at Zscaler, as of February 2025 and version 4.3.2 of the Zscaler Client Connector, the majority of the mentioned Windows 365 and AVD traffic which requires optimization, including RDP can be bypassed with a single click configuration within a predefined IP based bypass! Zscaler ZIA Configuration Version 4.3.2 (Released Feb 2025) of the Zscaler Connector Client portal enables this feature. Ensure a recent version of the Client Connector is installed on both the Cloud PC (And Physical device if Zscaler is used there) to take advantage. In the Zscaler Client Connector Portal, select the new IP-Based, Predefined Application Bypass for Windows 365 & Azure Virtual Desktop. This contains preconfigured bypass for RDP and KMS traffic. 3. Add the following endpoints to the bypass configuration manually as they are not included in the automatic bypass. As noted above, 20.202.0.0/16 will become unnecessary in a few months and will be removed from this document when decommissioned. It’s replacement (51.5.0.0/16) is already included in the preconfigured bypass. Endpoint Protocol Port Purpose 20.202.0.0/16 UDP 3478 Core UDP based RDP via TURN - Current 169.254.169.254 TCP 80 Azure Fabric communication 168.63.129.16 TCP 80 Azure Fabric communication Other VPN/SWG solutions Microsoft is currently working with other partners in this space to provide detailed guidance for other VPN/SWG solutions and will list them here as they are complete. Please let us know in the comments if you’d like us to list a particular solution and we’ll aim to prioritize based on feedback. In the interim, use rows 1-7 in the tables above to create manual bypasses from VPN/SWG/Proxy tunnels. This should be significantly simpler and have much lower change rates than previously due to the IP consolidation. FAQs: Q: In a Microsoft Hosted Network deployment, is there anything else I need to do? A: Unless the local Windows firewall is configured to block access to the endpoints noted, there should be nothing else required, the network the virtual NIC sits in has direct, high speed connectivity Microsoft’s backbone and the internet. Q: In an Azure Network Connection scenario, is there anything further I need to do? A: In this scenario, the recommended path for the traffic is directly out of the VNet into Microsoft’s backbone. Depending on the configuration it may require allowing the endpoints noted in this article through a firewall or NSG. The WindowsVirtualDesktop service tag or FQDN tag may help with automating rules in firewalls or configuring User Defined Routing. RDP traffic specifically should be sent direct into Microsoft’s backbone via a NAT Gateway or similar with no TLS inspection, avoiding putting load on NVAs such as Firewalls. Q: Do I need to configure the bypass on just the Cloud PC? A: RDP connectivity (Rows 1-4) is used identically on both the physical and cloud sides. It is strongly advised that the bypass is applied to both the Cloud PC and the connecting client if that also uses the SWG/VPN to connect. If both are using the same configuration profile then this should happen automatically. Rows 5-7 are only required on the cloud side. Q: How often do the IP addresses Change? A: Now the improvement work is complete we don’t anticipate regular change. You can monitor the WindowsVirtualDesktop service tag for changes if desired and we’re working on getting these requirements into the M365 Web Service longer term for monitoring and automation. Q: Can I add more than the RDP traffic to the bypass. A: Microsoft only provides IP addresses for the RDP connectivity at present. However if your solution is capable of configuration by FQDN alone, then you can add other service endpoints to your optimized path, these can be found on this Microsoft docs page. Q: Im using a true split tunnel, does this impact me? A: The above advice is for a forced tunnel scenario (inverse split tunnel) where the default path is via the tunnel and only defined exceptions are sent direct, which is often referred to as a split tunnel in common parlance and is the most commonly seen deployment model of such solutions. However a split tunnel in the technically accurate sense of the words, where the default path is the internet and only defined endpoints (such as corp server ranges/names) are sent down the tunnel, shouldn’t need such configuration as the RDP traffic should follow the default path to the internet. Q: Does this also optimize RDP shortpath? A: RDP Shortpath for Public Networks works to provide a UDP based RDP connection between the client and Cloud PC if enabled and achievable. This connection is in addition to the TCP based connection described above and the dynamic virtual channels such as graphics, input etc are switched into the UDP connection if deemed optimal. Rows 3 & 4 above cover this traffic for connectivity via TURN relays. Please see this article for more information on this connectivity model. Q: Is this advice also shared in Microsoft’s official documentation? A: We’re currently working on uplifting the entire connectivity documentation for Windows 365 and the above will form part of this work in the coming months. We’ll share the official link in this blog when available. Q: Does this advice apply equally to AVD? A: Yes, both Windows 365 and AVD have exactly the same requirements in terms of the connectivity discussed in this blog.Windows 365 now supported in Mexico and Spain
Today I am pleased to announce that we have enabled Windows 365 in Spain and Mexico. You can now deploy your Cloud PCs into Spain, in the Spain Central region and in Mexico, in the Mexico Central region. Within a provisioning policy if you select the European Union geography, you can then select Spain Central. This increases the number of regions available in the European Union region grouping to six. The Mexico Central region is available from within the new Mexico Geography. Whilst you can select each region specifically we always recommend you select the “Automatic” option to take advantage of more of the benefits the SaaS nature of Windows 365 provides now and in the future. Spain Central: Mexico Central: In the future we will be making some exciting improvements to the provisioning of Cloud PCs by simplifying the region and network selection within your provisioning policies. This expansion increases the number of Azure geographies that Windows 365 supports, giving you more choices for locating your Cloud PCs. This means you can place them closer to your user estate, reducing latency for users in these locations. We are committed to providing more choice and flexibility for your Cloud PCs by enabling new Azure regions over the coming years. This ongoing expansion demonstrates our dedication to evolving the service into a truly global service by growing into existing and new Azure geographies, ensuring you can provide the best service to your organization. Stay tuned for more updates as we continue to enhance Windows 365 and bring it to more locations worldwide.[On demand] Delivering like-local Windows experiences from the cloud
Learn how Windows cloud features like RDP Multipath and TURN improve connectivity and reduce connections times, while HEVC hardware acceleration and enhanced device redirection boost performance. Watch Delivering like-local Windows experiences from the cloud – now on demand – and join the conversation at https://aka.ms/LikeLocalInTheCloud. To help you learn more, here are the links referenced in the session: Hardware-accelerated HEVC (h.265) graphics encoding is currently in public preview! See Enable GPU acceleration for Azure Virtual Desktop | Microsoft Learn for more details For more free technical skilling on the latest in Windows, Windows in the cloud, and Microsoft Intune, view the full Microsoft Technical Takeoff session list.[On demand] Enhancing resiliency with Windows 365
Dive deep into key Windows 365 features like point-in-time restore and the newly launched Cross-region Disaster Recovery. Watch Enhancing resiliency with Windows 365 – now on demand – and join the conversation at https://aka.ms/Windows365Resiliency. For more free technical skilling on the latest in Windows, Windows in the cloud, and Microsoft Intune, view the full Microsoft Technical Takeoff session list.[On demand] Skill up! Cloud PC management and reporting
Get to know the tools you can use today to track Windows 365 utilization, identify underutilized Cloud PCs, and monitor connected Cloud PCs. Watch Skill up! Cloud PC management and reporting – now on demand – and join the conversation at https://aka.ms/CloudPCReporting. For more free technical skilling on the latest in Windows, Windows in the cloud, and Microsoft Intune, view the full Microsoft Technical Takeoff session list.[On demand] Unlocking productivity on the frontline with Windows 365
Dive deep and uncover practical guidance on how to deploy and manage Windows 365 Frontline effectively. Watch Unlocking productivity on the frontline with Windows 365 – now on demand – and join the conversation at https://aka.ms/FrontlineProductivity. To help you learn more, watch our bonus video with frequently asked questions on Windows 365 Frontline: And here are the links referenced in the session: Read our latest blog: aka.ms/W365FrontlineSharedBlog Watch the Windows 365 Frontline video: aka.ms/W365FrontlineVideo Watch the new Microsoft Mechanics video: aka.ms/W365FrontlineMechanics Learn more on the Windows 365 Frontline website For more free technical skilling on the latest in Windows, Windows in the cloud, and Microsoft Intune, view the full Microsoft Technical Takeoff session list.[On demand] Understanding security and management on Windows 365 Link
Learn how secure-by-design features in Windows 365 Link help reduce the attack surface and explore management of Windows 365 Link devices with Microsoft Intune. Watch Understanding security and management on Windows 365 Link – now on demand – and join the conversation at https://aka.ms/ManageLink. For more free technical skilling on the latest in Windows, Windows in the cloud, and Microsoft Intune, view the full Microsoft Technical Takeoff session list.[Tech Takeoff resource guide] The path ahead: The roadmap for Windows in the cloud
If you haven't watched it already, catch The path ahead: The roadmap for Windows in the cloud – part of 2025’s Microsoft Technical Takeoff – now available to view on demand! This session explores the latest updates to Windows 365 and Azure Virtual Desktop, looks at recently released features, and offers a peek at what's next. To help you learn more, here are the links referenced in the session: Windows 365 Enterprise Navigate to What’s new in Windows 365 Enterprise or What’s new in Windows 365 Business to learn about everything that’s new in greater detail with links to documentation. Seamless user experience Windows 365 higher configuration (16vCPU) SKUs Windows 365 Cloud PC gallery images use new Teams VDI Support for UDP TURN connectivity Windows App for Windows, MacOS, and iOS Windows 365 Link (public preview) Security and reliability Support for Microsoft Intune Endpoint Privilege Management (EPM) Ability to assign Microsoft Intune tamper protection policy Microsoft Purview Endpoint Data Loss Prevention (DLP) support Region expansion: Sweden Central, South Africa North and Israel Central Disk Encryption with Microsoft Purview Customer Key (BYOK) Windows 365 Customer Lockbox RBAC Microsoft Intune scope tags for support for Windows 365 workloads One-way clipboard redirection control Microsoft Intune mobile application management (MAM) support for iOS and Android Security baseline updates Configurable session lock experience for SSO Microsoft Entra Passkey/FIDOs support in macOS and iOS Elevate security in Windows 365 and Azure Virtual Desktop Windows 365 now supports Israel Central Easy manageability Resize and downsize including group-based licensing Worldwide support for resizing via step-up licenses Concurrency report for Windows 365 Frontline (public preview) Utilization insight reports (public preview) Connection quality reports (public preview) Connectivity report (public preview) IT admin alerts on Cloud PC that aren’t available (public preview) Cloud PC recommendations report Cloud PC maintenance windows (public preview) Concurrency buffer to enable temporary shift overlap Windows 365 GPU-enabled Cloud PCs for Windows 365 Enterprise and Windows 365 Frontline Windows 365 Cross-region Disaster Recovery Windows 365 Frontline shared mode (public preview) Selective move of Cloud PCs Partner integration Motorola Thinkphone integration Support for Omnissa Horizon and Windows 365 Enterprise integration (Omnissa Horizon previously VMware Horizon) Azure Virtual Desktop Navigate to What’s new in Azure Virtual Desktop to learn about everything that’s new in greater detail with links to documentation. Seamless user experience Access OneDrive for Business files with RemoteApp deployments (public preview) Directly link to Azure Virtual Desktop resources with new URI schemes Windows App for Windows, MacOS, and iOS New Microsoft Teams with WebRTC VDI optimizations on Azure Virtual Desktop Migrate from Azure Virtual Desktop Preview app to Windows App Security and reliability Azure Confidential Compute VMs Azure Private Link Apply a watermark to the session Single sign-on (SSO) In-session passwordless authentication Microsoft Purview Endpoint Data Loss Prevention (DLP) support Administrator can control one-way clipboard redirection Microsoft Intune mobile application management (MAM) support for iOS and Android (public preview) Configurable session lock experience for SSO Microsoft Entra Passkey/FIDOs support in macOS and iOS Session recording for forensic evidence gathering purposes Easy manageability Azure Virtual Desktop Insights admins can migrate to Azure Monitor Agent Azure Virtual Desktop ADMX available in Microsoft Intune administrative templates and Settings Catalog AutoScale for Personal Desktop Hibernate support for autoscale Custom image templates Configure Shortpath settings in Azure Virtual Desktop portal Connection Reliability tab in Azure Virtual Desktop Insights Session Host Update (public preview) Deployment flexibility Autoscale and Start VM on Connect support for Azure Stack HCI update to Azure Local Guided experience to create custom image in Azure portal MSIX app attach packages can now be applied to multiple host pools simultaneously, entitled per user, and Microsoft Entra joined supported Azure Extended Zones support Azure Virtual Desktop Metadata Database available in South Africa Enhanced host pool management for Azure Virtual Desktop App-V and partner support for App attach (public preview) Dynamic Autoscaling (public preview) Call to action Navigate to What’s new in Azure Virtual Desktop doc to learn about everything that’s new in greater detail with links to documentation Navigate to What’s new in Windows 365 Enterprise doc to learn about everything that’s new in greater detail with links to documentation Learn more about Azure Virtual Desktop: aka.ms/AVD Learn more about Windows 365: aka.ms/W365Windows 365 and Azure Virtual Desktop sessions at the Microsoft Technical Takeoff
The next iteration of the Microsoft Technical Takeoff is coming up quick. Four days of in depth sessions, demos, roadmap and Q&A are coming up on Monday March the 3rd to Thursday the 6th. This is a great learning event where we in the Microsoft engineering and product groups go deep on a whole host of topics, from Windows, Azure Virtual Desktop, Intune and Windows365. For those specifically interested in Windows 365 and Azure Virtual Desktop then this is the ultimate short list of sessions. Please click on the link for the session below and then click on the Attend button, (times below are in PST). To access the full site with the entire agenda and session list just visit: aka.ms/TechnicalTakeoff Windows 365 and Azure Virtual Desktop Monday, March 3, 2025 8:30 AM - The path ahead: The roadmap for Windows in the cloud 10:30 AM - Understanding security and management on Windows 365 Link 11:00 AM - Unlocking productivity on the frontline with Windows 365 Tuesday, March 4, 2025 10:30 AM - Skill up! Cloud PC management and reporting 11:00 AM - Get to know Windows security and resiliency in the cloud Wednesday, March 5, 2025 9:30 AM - Enhancing resiliency with Windows 365 10:30 AM - Delivering like-local Windows experiences from the cloud Thursday, March 6, 2025 7:00 AM - Azure Virtual Desktop app management 7:30 AM - Azure Virtual Desktop hostpool management at scale 11:00 AM - Windows cloud migration and deployment best practices
Ability to change password used to restrict access to Outlook pst files appears to have disappeared.
Change password to gain access to Outlook. I wish to change the password I currently have to get into Outlook used in Office 365 when it loads on PC which in the past has been set / reset by opening the application on PC and doing the following : – Select - File - account settings - account settings - Select the profile , - select tab data files, select the appropriate data pst. file, choose settings and select change password. This is still shown as the method to change password for access to a pst file on the Microsoft support pages. When these options are selected now the only option that now presents is the ability to compact the file. The password re-set option has disappeared. Hence I cannot change the password I use to gain access to outlook. I run Microsoft 365 Apps for business and Windows 10 pro. I should be grateful if someone could please advise how to now achieve having a changeable password for access to the Outlook App alone - now this facility appears to have disappeared. Thanks
