Improper AVD Host Decommissioning – A Practical Governance Framework
Hi everyone, After working with multiple production Azure Virtual Desktop environments, I noticed a recurring issue that rarely gets documented properly: Improper host decommissioning. Scaling out AVD is easy. Scaling down safely is where environments silently drift. Common issues I’ve seen in the field: Session hosts deleted before drain completion Orphaned Entra ID device objects Intune-managed device records left behind Stale registration tokens FSLogix containers remaining locked Defender onboarding objects not cleaned Host pool inconsistencies over time The problem is not technical complexity. It’s lifecycle governance. So I built a structured approach to host decommissioning focused on: Drain validation Active session verification Controlled removal from host pool VM deletion sequencing Identity cleanup validation Registration token rotation Logging and execution safety I’ve published a practical framework here: The framework is fully documented and includes validation logic and logging. https://github.com/modernendpoint/AVD-Host-Decommission-Framework The goal is simple: Not just removing a VM — but preserving platform integrity. I’m curious: How are you handling host lifecycle management in your AVD environments? Fully automated? Manual? Integrated with scaling plans? Identity cleanup included? Would love to hear how others approach this. Menahem Suissa AVD | Intune | Identity-Driven Architecture
RemoteApp for Word/Excel with Google Drive
I want to set up RemoteApp so users can use Word and Excel remotely. At the same time, I want them to be able to access and save files directly from Google Drive within those apps. We currently only have 3 users who need this, but we plan to expand in the future. What’s the best way to do this? Do I need a specific setup, plugin, or service to make Google Drive work seamlessly with Word/Excel in a RemoteApp environment?Need Help: Shortpath Drops & RDstack error in AVD
I’m seeing persistent AVD connection issues and would appreciate guidance. Frequent ShortpathTransportNetworkDrop (68) and ShortpathNetworkDrop (16644) errors GetInputDeviceHandlesError (4463) US based users and hostpool/sessionhost Users experience instability and degraded performance
Mouse Click Offset Issue in Azure Virtual Desktop App on Windows 11 with Dual Monitors
We are experiencing a recurring mouse misalignment issue when using the Azure Virtual Desktop (AVD) Windows App on several Windows 11 clients. The problem occurs on devices with two external monitors and affects multiple users. Environment Windows version: 10.0.26200.6899 (Windows 11, 25H2) AVD Windows App: mainly version 2.0.757.0, some clients are on slightly different versions Hardware: Windows 11 PCs with two external monitors Display settings: both monitors at 1920x1080, 100% scaling Mac users (using the AVD app) report no issues Issue description The visual mouse pointer and the actual click position become misaligned inside the AVD RemoteApp session. For example, clicking on one item may select the item below it. This appears to be a rendering or coordinate-mapping issue within AVD when running inside the Windows App. Temporary workaround Minimizing the AVD window and then maximizing it immediately resolves the issue. This refresh/redraw action realigns the pointer and click coordinates. Questions Has anyone else seen mouse click offset issues in the AVD Windows App on Windows 11 25H2 with dual-monitor configurations? Are there known fixes, configuration adjustments, or recommended workarounds beyond the minimize/maximize redraw?
AVD RemoteApp disconnects after sleep — any way to mimic Citrix Session Reliability?
In Azure Virtual Desktop (AVD), whenever my laptop goes into sleep/hibernate and I wake it up, my RemoteApp disconnects and throws an error. With Citrix, the session stays “alive” because of Session Reliability, but AVD doesn’t seem to handle this the same way. I’ve already set session timeouts and keep-alive settings via RDP properties/GPO, but the problem isn’t policy-related — it’s triggered by the local device going to sleep and dropping the network. I have full permissions to configure and manage host pools, session hosts, and RDP properties. Is there any way to mimic Citrix’s behavior (Session Reliability / seamless resume) so users don’t get disconnected after sleep? Or is this simply a limitation of the AVD client?TURN relay regional expansion for Azure Virtual Desktop
TURN (Traversal Using Relays around NAT) enables devices behind firewalls to establish reliable UDP connections. With RDP Shortpath for public networks, TURN acts as a fallback when a direct UDP-based connection isn’t possible—ensuring low-latency, high-reliability remote desktop sessions. Starting June 15, 2025, we are launching a dedicated TURN relay IP range across the Microsoft Azure public cloud. This new range—51.5.0.0/16—enhances RDP Shortpath connectivity and delivers faster, more reliable performance for Azure Virtual Desktop and Windows 365 users in 40 regions worldwide. For the full list of supported regions and guidance on how to plan for this change, read the full announcement: Expanded TURN relay regions for Windows 365 and Azure Virtual DesktopUpdate to Microsoft Desktop Virtualization API v. 2023-09-05 by August 2, 2024 to avoid any impact
[Recommended actions updated on July 29, 2024] WARNING! Be mindful when using secrets in deployment templates and follow Azure best practices when managing secrets. Our examples in this discussion post are to be used for educational purposes only. Older Microsoft Desktop Virtualization API version(s) utilized for your Azure Virtual Desktop host pool resource will no longer support ‘get’ actions for registration token retrieval as of August 2nd, 2024. The affected API versions are as follows: 2019-01-23-preview 2019-09-24-preview 2019-12-10-preview 2020-09-21-preview 2020-11-02-preview 2020-11-10-preview 2021-01-14-preview On August 2nd, 2024, these affected API versions will no longer support the retrieval of the registration token. Users on older versions will not be able to use the 'get' action to retrieve the token. However, with the newer versions, there are two ways for customers to retrieve registration tokens moving forward: [Recommended] Using list* resource functions: Microsoft.DesktopVirtualization/hostpools resources now expose a listRegistrationTokens() function. This works if you already have valid registration tokens on your host pool and you want to retrieve them from an existing host pool. Using a 'post' action to securely retrieve the token AZ CLI: az desktopvirtualization hostpool retrieve-registration-token - az desktopvirtualization hostpool | Microsoft Learn REST: Host Pools - Retrieve Registration Token - REST API (Azure Desktop Virtualization) | Microsoft Learn AZ PowerShell: Get-AzWvdHostPoolRegistrationToken (Az.DesktopVirtualization) | Microsoft Learn Action Required Review any workflows you may have that rely on readers retrieving access tokens and update them to extract the registration tokens for a host pool in a new way. Ensure you are using up to date versions of the Microsoft Desktop Virtualization API. To take action, here are examples of how to extract the registration tokens for a host pool and update to the 2023-09-05 API version using Bicep and ARM templates. WARNING! Be mindful when using secrets in deployment templates and follow Azure best practices when managing secrets. Our examples in this discussion post are to be used for educational purposes only. [Recommended] Take action using list* resource functions This solution works if you already have valid registration tokens on your host pool and you want to retrieve them from an existing host pool. If you are using Bicep templates in your deployment: @sys.description('AVD Host Pool resource ID. (Default: )') param hostPoolResourceId string var varHostpoolSubId = split(hostPoolResourceId, '/')[2] var varHostpoolRgName = split(hostPoolResourceId, '/')[4] var varHostPoolName = split(hostPoolResourceId, '/')[8] // GET hostpool resource hostPoolGet 'Microsoft.DesktopVirtualization/hostPools@2023-09-05' existing = { name: varHostPoolName scope: resourceGroup('${varHostpoolSubId}', '${varHostpoolRgName}') } @sys.description('The registration token of the host pool. This is not secure! Only for educational/testing purposes. Please follow security practices @ https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/scenarios-secrets ') output registrationToken array = hostPoolGet.listRegistrationTokens() If you are using ARM templates in your deployment: { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.28.1.47646", "templateHash": "2750874554099795062" } }, "parameters": { "hostPoolResourceId": { "type": "string", "metadata": { "description": "AVD Host Pool resource ID. (Default: )" } } }, "variables": { "varHostpoolSubId": "[split(parameters('hostPoolResourceId'), '/')[2]]", "varHostpoolRgName": "[split(parameters('hostPoolResourceId'), '/')[4]]", "varHostPoolName": "[split(parameters('hostPoolResourceId'), '/')[8]]" }, "resources": [], "outputs": { "registrationToken": { "type": "array", "metadata": { "description": "The registration token of the host pool. This is not secure! Only for educational/ testing purposes. Please follow security practices @ https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/scenarios-secrets " }, "value": "[listRegistrationTokens(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', variables('varHostpoolSubId')), format('{0}', variables('varHostpoolRgName'))), 'Microsoft.DesktopVirtualization/hostPools', variables('varHostPoolName')), '2023-09-05')]" } } } Other ways to take action One alternative is to always (re)create your host pool, which in turn will re-generate registration tokens that can then be retrieved using the PUT operation. If you are using Bicep templates in your deployment... Use the retrieveToken.bicep module to retrieve the registration token from a host pool by using a PUT operation: @sys.description('Optional. Host Pool token validity length. Usage: \'PT8H\' - valid for 8 hours; \'P5D\' - valid for 5 days; \'P1Y\' - valid for 1 year. When not provided, the token will be valid for 8 hours.') param tokenValidityLength string = 'PT8H' @sys.description('Generated. Do not provide a value! This date value is used to generate a registration token.') param baseTime string = utcNow('u') param vLocation string param vHostPoolName string param vHostPoolType string param vPreferredAppGroupType string param vMaxSessionLimit int param vLoadBalancerType string resource hostPool 'Microsoft.DesktopVirtualization/hostPools@2023-09-05' = { name: vHostPoolName location: vLocation properties: { hostPoolType: vHostPoolType preferredAppGroupType: vPreferredAppGroupType maxSessionLimit: vMaxSessionLimit loadBalancerType: vLoadBalancerType registrationInfo: { expirationTime: dateTimeAdd(baseTime, tokenValidityLength) registrationTokenOperation: 'Update' } } } @sys.description('The registration token of the host pool.') output registrationToken string = reference(hostPool.id).registrationInfo.token Here's an example of using the retrieveToken.bicep module to extract the registration token: @sys.description('AVD Host Pool resource ID. (Default: )') param hostPoolResourceId string var varHostpoolSubId = split(hostPoolResourceId, '/')[2] var varHostpoolRgName = split(hostPoolResourceId, '/')[4] var varHostPoolName = split(hostPoolResourceId, '/')[8] // Call on the hostpool resource hostPoolGet 'Microsoft.DesktopVirtualization/hostPools@2023-09-05' existing = { name: varHostPoolName scope: resourceGroup('${varHostpoolSubId}', '${varHostpoolRgName}') } module hostPool 'retrieveToken.bicep' = { name: varHostPoolName scope: resourceGroup('${varHostpoolSubId}', '${varHostpoolRgName}') params: { vHostPoolName: varHostPoolName vMaxSessionLimit: hostPoolGet.properties.maxSessionLimit vPreferredAppGroupType: hostPoolGet.properties.preferredAppGroupType vHostPoolType: hostPoolGet.properties.hostPoolType vLoadBalancerType: hostPoolGet.properties.loadBalancerType vLocation: hostPoolGet.location } } @sys.description('The registration token of the host pool.') output registrationToken string = hostPool.outputs.registrationToken If you are using ARM templates in your deployment: { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.28.1.47646", "templateHash": "15215789985349638425" } }, "parameters": { "hostPoolName": { "type": "string" }, "location": { "type": "string" }, "baseTime": { "type": "string", "defaultValue": "[utcNow('u')]" } }, "variables": { "expirationTime": "[dateTimeAdd(parameters('baseTime'), 'PT1H1M')]" }, "resources": [ { "type": "Microsoft.DesktopVirtualization/hostPools", "apiVersion": "2023-09-05", "name": "[parameters('hostPoolName')]", "location": "[parameters('location')]", "properties": { "maxSessionLimit": 2, "hostPoolType": "Personal", "loadBalancerType": "Persistent", "preferredAppGroupType": "Desktop", "registrationInfo": { "expirationTime": "[variables('expirationTime')]", "registrationTokenOperation": "Update" } } } ], "outputs": { "token": { "type": "string", "value": "[reference(resourceId('Microsoft.DesktopVirtualization/hostPools', parameters('hostPoolName'))).registrationInfo.token]" } } } WARNING! Be mindful when using secrets in deployment templates and follow Azure best practices when managing secrets. Our examples in this discussion post are to be used for educational purposes only. Additional Support If you have any questions, comments, or concerns about this, please feel free to post a comment.Conditional Access per HostPool or RDP properties conditional on clients
Good day all, I am struggling with the RDP properties of our different host pools. Corporate policy states that nothing should be able to be redirected from the local device. Which is fine and for the Full Desktop publishing we have configured this so on the host pool in RDP properties. However, now we have a separate host pool for a remote app. This remote I would only like to be able to connect to from the desktop host pool (nested) and not from the local device. As this is a Remote App the users need to interact with this application with the clipboard. So I want to know if there is a method, and if not, request a feature to make this possible. With kind regards,
