With Windows Virtual Desktop your managed VMs do not need to have port 3389 opened. If you must open port 3389 for troubleshooting purposes, we recommend you use just-in-time VM access.

We have updated following articles in our documentation to highlight that:

• https://docs.microsoft.com/en-us/azure/virtual-desktop/create-host-pools-azure-marketplace
• https://docs.microsoft.com/en-us/azure/virtual-desktop/create-host-pools-arm-template
• https://docs.microsoft.com/en-us/azure/virtual-desktop/create-host-pools-powershell
• https://docs.microsoft.com/en-us/azure/virtual-desktop/create-host-pools-user-profile