Blog Post

Azure Virtual Desktop Blog
2 MIN READ

Intune device configuration for Azure Virtual Desktop multi-session VMs is now generally available

DavidBelanger's avatar
DavidBelanger
Icon for Microsoft rankMicrosoft
Apr 26, 2022
We're happy to announce that deploying Microsoft Intune device configuration from Microsoft Endpoint Manager admin center to Azure Virtual Desktop multi-session virtual machines (VMs) is now generall...
Updated Aug 03, 2022
Version 2.0
updates
JoeAnonymous's avatar
JoeAnonymous
Copper Contributor
May 14, 2022

Does this apply to _all_ of the entries under "Endpoint security" for Win10 Enterprise Multi-Session AVD devices?  Managing AVD Multi-Session Win10 Enterprise 21H2 devices is a huge pain with Intune.  Settings Catalog don't have all of the settings, and Intune already has multiple spots to do the same thing so guess and check is time consuming.  Just because Intune says "Success" for a policy does not always translate into it applying on the device.  

 

Feedback below based on testing so far for each of the categories.

 

Antivirus: 

- Only the "Windows Security Experience" policies seem to work correctly (haven't tested the Exclusions).

- "Microsoft Defender Antivirus" policies created for "Windows 10, Windows 11, and Windows Server" (that show up as a "Target" of "mdm,microsoftSense") will say they apply successfully in Intune, but on the device the settings never change (per Get-MpPreference and in the Defender GUI). 

- A Tamper Protection policy just ends up saying "Not applicable" (and we have M365 E5 licensing, and this feature works on non-AVD devices just fine - globally we have Tamper OFF but should be able to set it per device with this policy).

 

Disk encryption:

- Have not tried, we don't handle disk encryption via Intune for AVD, but would be nice if it was supported.  If there is a guarantee this works for AVD Multi-Session and properly sets the keys in Intune, then I'll give it a try.

 

Firewall:

- Looks to work correctly, although we only set basic policy of each profile (private, domain, public) needing to be On.

 

Endpoint detection and response:

- Works correctly to onboard to Defender for Endpoint.

 

Attack surface reduction:

- These don't have the option of "Windows 10, Windows 11, and Windows Server" but do show up as a Target of "mdm,microsoftSense".

- Attack Surface Reduction and Controlled Folder Access (both in Audit mode) will say "Success" in Intune, but never actually apply these settings on the device (as confirmed by the command Get-MpPreference).

- Seems like ASR rules are always a pain, even the ones set via the Settings Catalog don't apply correctly.


Account protection:

- These don't have the option of "Windows 10, Windows 11, and Windows Server" so I suspect they don't work.

Account protection (Preview) seems to always just say "Pending" and never applies.

 

All testing done on fresh Azure AD + Intune joined Windows 10 Enterprise 21H2 Multi-Session fully patched devices with org-wide M365 E5 licensing, no other management tools interfering, images direct from Microsoft for AVD.