Improper AVD Host Decommissioning – A Practical Governance Framework
Hi everyone, After working with multiple production Azure Virtual Desktop environments, I noticed a recurring issue that rarely gets documented properly: Improper host decommissioning. Scaling out AVD is easy. Scaling down safely is where environments silently drift. Common issues I’ve seen in the field: Session hosts deleted before drain completion Orphaned Entra ID device objects Intune-managed device records left behind Stale registration tokens FSLogix containers remaining locked Defender onboarding objects not cleaned Host pool inconsistencies over time The problem is not technical complexity. It’s lifecycle governance. So I built a structured approach to host decommissioning focused on: Drain validation Active session verification Controlled removal from host pool VM deletion sequencing Identity cleanup validation Registration token rotation Logging and execution safety I’ve published a practical framework here: The framework is fully documented and includes validation logic and logging. https://github.com/modernendpoint/AVD-Host-Decommission-Framework The goal is simple: Not just removing a VM — but preserving platform integrity. I’m curious: How are you handling host lifecycle management in your AVD environments? Fully automated? Manual? Integrated with scaling plans? Identity cleanup included? Would love to hear how others approach this. Menahem Suissa AVD | Intune | Identity-Driven Architecture
Azure Virtual Desktop and Azure AD Join with Enroll VM in Intune - possible pitfall!
Dear Azure Virtual Desktop friends, If you want to set up Azure Virtual Desktop infrastructure in Azure and you have chosen Azure AD Join and with Enroll VM with Intune, you may get the following error message: -------------------- [{"code":"VMExtensionProvisioningError","message":"VM has reported a failure when processing extension 'AADLoginForWindows'. Error message: \"AAD Join failed with status code: -2145648509. AzureSecureVMJoinOperation: DeviceEnroller::AzureSecureVMEnroll failed 0x801c0083.\"\r\n\r\nMore information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot "}]} -------------------- This could possibly be because you have reached the limit for adding devices to Intune. You can find this information in the Intune Admincenter and increase the value. Either edit the default settings or set up a new Restriction policy. I realize it's not super, great, extra news, but I ran into these limitations during a deployment and the hints weren't necessarily obvious. Thank you for taking the time to read the article. Best regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler
