Share via

Azure Virtual Desktop GPO sign in speed

E J 86 Reputation points
2023-08-08T14:10:19.36+00:00

Hi,
I have a major issue with my new AVD environment where the session hosts are hybrid AD joined and can be Intune managed. The hosts get automatically enrolled to Intune. With every first sign-in of a user, it takes us 10 to 15 minutes stuck at the "Applying Group Policy Drive Maps policy" step. The policy which causes that is identified. It is our general policy for all users in the company which maps their local file share drives. This policy's security filtering is scoped to "Authenticated Users" and has its "Computer configuration settings disabled." Unfortunately, I do not see an option to exclude the hosts from the policy, and excluding users from the policy would mean it wouldn't apply anywhere they sign in. I found some suggestions to deny access to the policy folder on the SYSVOL fileshare, but this is apparently advised not to do since the permissions in AD and fileshare should be in sync.

Also, the session hosts get recreated once every month, and users wouldn't sign in to the same host every time, after the first sign in, it works quite good.
This means they could potentially wait 3 x 15 minutes when signing into every different AVD session host once every month.

This situation would make the environment quite unusable.

Does anyone have any suggestions or possible solutions for me?

Azure Virtual Desktop
Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
1,852 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. vipullag-MSFT 26,492 Reputation points Moderator
    2023-08-09T06:27:08.7633333+00:00

    Hello E J

    Welcome to Microsoft Q&A Platform, thanks for posting your query here.

    Can you please share mode details on this to assist you better.

    Do you want to map the drives for the users on the session host?

    Do you know why the drive mapping doesn’t work?

    Where are these file shares coming into AVD session hosts (on-prem or cloud)?

    Also you mentioned, "Unfortunately, I do not see an option to exclude the hosts from the policy" -If you really wanted to exclude AVD session hosts from this GPO- you can create another OU for AVD Comp objects and exclude this OU from the policy.

    You can use Active Directory GPO Filtering by Denying Apply Group Policy Advanced Permissions to AVD Users detailed in the following link:

    https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/assign-security-group-filters-to-the-gpo#to-prevent-members-of-a-group-from-applying-a-gpo

    Also, if the GPOs should continue applying, you can install an Active Directory Additional DC including DNS, and Global Catalog in the region AVD exists which increase the logon process, applying GPOs, etc. 

    You can also configure "Group Policy Loopback Processing" mode to replace or merge GPO applying settings based on AVD Login or Standard computer login. You can get much more details in the following link: https://4sysops.com/archives/group-policy-loopback-processing-part-2-replace-mode-and-merge-mode/

    Hope this helps.

    If the suggested response helped you resolve your issue, please 'Accept as answer', so that it can help others in the community looking for help on similar topics.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.