How to manage your Windows Virtual Desktop session hosts (single user) with Microsoft Endpoint Manager – Microsoft Intune.

By default all Windows Virtual Desktop session hosts are joined with your domain. And in most cases you will apply policy configurations to them via Group Policy Objects (GPO). If you also using Microsoft Endpoint Manager – Microsoft Intune for managing Windows 10 devices, it might also be worth considering to manage your WVD session hosts VMs with it as well.

The big advantage here is that you can apply your existing Windows 10 configurations (including application deployment) directly to the WVD session hosts, at least, if they are provisioned with a Windows 10 Enterprise single user image (multi-session not supported at this moment).

In this blog I will show you step-by-step how you can start with managing Windows Virtual Desktop session hosts with Microsoft Intune.

Requirements

  • Azure tenant up-and-running, including Azure AD Connect. Make sure the WVD session host VMs are located in an AD OU that is synced with Azure AD.
  • Windows Virtual Desktop environment up-and-running, including a Personal host pool type
  • Microsoft Intune environment up-and-running, including enablement for Windows 10 device enrollment (Device Restrictions)

Limitations

  • Only Windows 10 Enterprise – single-User version is supported at this moment (no Windows 10 multi-session)
  • Only for use in a Personal WVD host pools
  • “Domain Join” and “Wi-Fi” Intune Configuration profiles are not supported (but also not needed)
  • The following Intune device actions are not supported/recommended; Autopilot reset, Bitlocker key rotation, Fresh Start, Remote lock, Reset password and Wipe.

My Environment

I have an on-premises domain with the primary UPN suffix “futureworkplace.it”. Azure AD Connect is configured and is syncing with Azure AD.

Microsoft Intune is fully configured, including; Device Compliance, Device Configuration profiles and Application deployments for Windows 10.

Windows Virtual Desktop is deployed with a Personal host pool type. The session host VMs are joined with the on-premises domain and are located in an Active Directory OU with “Block Inheritance” enabled on it.

In this blog

This blog will cover the following steps.

  • Configure Hybrid Azure AD Join
  • Check if WVD hosts are Azure AD joined
  • Create a Automatic MDM enrollment policy
  • Test the results

Step 1 : Configure Hybrid Azure AD Join

For the first step we need to make some changes in the Azure AD Connect configuration. Login to the server where Azure AD Connect is installed and configured.

Start Azure AD Connect and click Configure

Click Configure device options.

Click Next

Login with your Global Administrator account and click Next

Select Configure Hybrid Azure AD join and click Next

Enable Windows 10 or later domain-joined devices and click Next.

Select your Forest, select Azure Active Directory as Authentication Service and login with a local Enterprise Administrator account. Click Next.

Click Configure

Click Exit

Optionally you can enforce an Azure AD sync so you don’t have to wait for it.

Step 2 : Check if WVD hosts are Azure AD joined

Wait for the next Azure AD Connect sync or force a sync right away. After the sync is completed, login on a WVD session host VM. Open a command prompt or PowerShell in type in the following command;

dsregcmd /status

Make sure that AzureAdJoined is set to Yes

Also make sure that AzureAdPrt is set to Yes

If this is not the case, make sure the devices have been synced to Azure AD. Sometimes a reboot of the VM will also help.

As an alternative you can also check the status in Azure AD – Devices. Check the Join Type and the Registered status.

Step 3 : Create a Automatic MDM enrollment policy

To enable the automatic MDM enrollment, a policy settings needs to be set. Therefor open the Group Policy Management console.

On the OU that’s containing the WVD session host VMs create a new GPO (or edit an existing one). Give the GPO a name and click OK.

Navigate to Administrative Templates > Windows Components > MDM and open the Enable automatic MDM enrollment using default Azure credentials

Select Enabled and select Device Credential as Credential Type to use. Click OK.

Step 4 : Test the results

After the policy have been applied to the session host, the VM will be enrolled in Microsoft Intune.

As you can see the WVD session host is visible within the Microsoft Intune console.

Also all Device configurations have been applied to the VM.

Also mandatory / required applicates have been installed on the VM, including the custom Microsoft 365 Apps and some Windows 10 Store Apps.

The Company Portal app have been installed and also the Windows Update policy seems to be active as you can see in the Windows Update Notification.

6 comments

About Robin Hobo

Robin Hobo

I work as a Senior Solution Architect with focus on the Modern Workspace. I am specialized in Azure Virtual Desktop (AVD), Windows 365 and Microsoft EM+S (including Microsoft Endpoint Manager - Microsoft Intune).

For my full bio, check the About Me page. You can also join me on the following social networks:

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close