AVD Adding users to Remote Desktop User Group

Hi! :)

You need to keep users in the Remote Desktop Users group for AVD to hand off the session and there’s no built-in switch to stop it. To prevent direct RDP logons while keeping AVD over 443 intact you can deploy a VM extension or DSC script that runs after the AVD agent and removes the unwanted group membership use an Azure Automation runbook to periodically strip those users from the group on all session hosts apply a GPO “Deny log on locally” for those accounts so they stay in the group for AVD but can’t RDP in on port 3389 The simplest path is a VM extension ( a small PowerShell script at boot removes the extra memberships automatically.) hope this will help :)