Deploy Azure Virtual Desktop

Important

Using Azure Stack HCI with Azure Virtual Desktop is currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

This article shows you how to deploy Azure Virtual Desktop on Azure or Azure Stack HCI by using the Azure portal, Azure CLI, or Azure PowerShell. You create a host pool, workspace, application group, and session hosts and can optionally enable diagnostics settings. You also assign users or groups to the application group for users to get access to their desktops and applications. You can do all these tasks in the same process when using the Azure portal, but you can also do them separately.

The process covered in this article is an in-depth and adaptable approach to deploying Azure Virtual Desktop. If you want a more simple approach to deploy a sample Windows 11 desktop in Azure Virtual Desktop, see Tutorial: Deploy a sample Azure Virtual Desktop infrastructure with a Windows 11 desktop or use the getting started feature.

For more information on the terminology used in this article, see Azure Virtual Desktop terminology, and to learn about the service architecture and resilience of the Azure Virtual Desktop service, see Azure Virtual Desktop service architecture and resilience.

Prerequisites

Review the Prerequisites for Azure Virtual Desktop for a general idea of what's required and supported, such as operating systems (OS), virtual networks, and identity providers. It also includes a list of the supported Azure regions in which you can deploy host pools, workspaces, and application groups. This list of regions is where the metadata for the host pool can be stored. However, session hosts can be located in any Azure region, and on-premises with Azure Stack HCI (preview). For more information about the types of data and locations, see Data locations for Azure Virtual Desktop.

Select the relevant tab for your scenario for more prerequisites.

In addition, you need:

Create a host pool

To create a host pool, select the relevant tab for your scenario and follow the steps.

Here's how to create a host pool using the Azure portal.

  1. Sign in to the Azure portal.

  2. In the search bar, enter Azure Virtual Desktop and select the matching service entry.

  3. Select Host pools, then select Create.

  4. On the Basics tab, complete the following information:

    Parameter Value/Description
    Subscription Select the subscription you want to create the host pool in from the drop-down list.
    Resource group Select an existing resource group or select Create new and enter a name.
    Host pool name Enter a name for the host pool, for example hp01.
    Location Select the Azure region where you want to create your host pool.
    Validation environment Select Yes to create a host pool that is used as a validation environment.

    Select No (default) to create a host pool that isn't used as a validation environment.
    Preferred app group type Select the preferred application group type for this host pool from Desktop or RemoteApp.
    Host pool type Select whether you want your host pool to be Personal or Pooled.

    If you select Personal, a new option appears for Assignment type. Select either Automatic or Direct.

    If you select Pooled, two new options appear for Load balancing algorithm and Max session limit.

    - For Load balancing algorithm, choose either breadth-first or depth-first, based on your usage pattern.

    - For Max session limit, enter the maximum number of users you want load-balanced to a single session host.

    Tip

    Once you've completed this tab, you can continue to optionally create session hosts, a workspace, register the default desktop application group from this host pool, and enable diagnostics settings by selecting Next: Virtual Machines. Alternatively, if you want to create and configure these separately, select Next: Review + create and go to step 9.

  5. Optional: On the Virtual machines tab, if you want to add session hosts, complete the following information, depending on if you want to create session hosts on Azure or Azure Stack HCI:

    1. To add session hosts on Azure:

      Parameter Value/Description
      Add virtual machines Select Yes. This shows several new options.
      Resource group This automatically defaults to the same resource group you chose your host pool to be in on the Basics tab, but you can also select an alternative.
      Name prefix Enter a name for your session hosts, for example hp01-sh.

      This value is used as the prefix for your session hosts. Each session host has a suffix of a hyphen and then a sequential number added to the end, for example hp01-sh-0.

      This name prefix can be a maximum of 11 characters and is used in the computer name in the operating system. The prefix and the suffix combined can be a maximum of 15 characters. Session host names must be unique.
      Virtual machine type Select Azure virtual machine.
      Virtual machine location Select the Azure region where you want to deploy your session hosts. This must be the same region that your virtual network is in.
      Availability options Select from availability zones, availability set, or No infrastructure dependency required. If you select availability zones or availability set, complete the extra parameters that appear.
      Security type Select from Standard, Trusted launch virtual machines, or Confidential virtual machines.

      - If you select Trusted launch virtual machines, options for secure boot and vTPM are automatically selected.

      - If you select Confidential virtual machines, options for secure boot, vTPM, and integrity monitoring are automatically selected. You can't opt out of vTPM when using a confidential VM.
      Image Select the OS image you want to use from the list, or select See all images to see more, including any images you've created and stored as an Azure Compute Gallery shared image or a managed image.
      Virtual machine size Select a SKU. If you want to use different SKU, select Change size, then select from the list.
      Hibernate (preview) Check the box to enable hibernate. Hibernate is only available for personal host pools. You will need to self-register your subscription to use the hibernation feature. For more information, see Hibernation in virtual machines.

      Note: We recommend users using Teams media optimizations to upgrade their host pools to WebRTC redirector service 1.45.2310.13001, learn more here.
      Number of VMs Enter the number of virtual machines you want to deploy. You can deploy up to 400 session hosts at this point if you wish (depending on your subscription quota), or you can add more later.

      For more information, see Azure Virtual Desktop service limits and Virtual Machines limits.
      OS disk type Select the disk type to use for your session hosts. We recommend only Premium SSD is used for production workloads.
      OS disk size If you have hibernate enabled, the OS disk size needs to be larger than the amount of memory for the VM. Check the box if you need this for your session hosts.
      Confidential computing encryption If you're using a confidential VM, you must select the Confidential compute encryption check box to enable OS disk encryption.

      This check box only appears if you selected Confidential virtual machines as your security type.
      Boot Diagnostics Select whether you want to enable boot diagnostics.
      Network and security
      Virtual network Select your virtual network. An option to select a subnet appears.
      Subnet Select a subnet from your virtual network.
      Network security group Select whether you want to use a network security group (NSG).

      - None doesn't create a new NSG.

      - Basic creates a new NSG for the VM NIC.

      - Advanced enables you to select an existing NSG.

      We recommend that you don't create an NSG here, but create an NSG on the subnet instead.
      Public inbound ports You can select a port to allow from the list. Azure Virtual Desktop doesn't require public inbound ports, so we recommend you select No.
      Domain to join
      Select which directory you would like to join Select from Microsoft Entra ID or Active Directory and complete the relevant parameters for the option you select.
      Virtual Machine Administrator account
      Username Enter a name to use as the local administrator account for the new session hosts.
      Password Enter a password for the local administrator account.
      Confirm password Reenter the password.
      Custom configuration
      Custom configuration script URL If you want to run a PowerShell script during deployment you can enter the URL here.
    2. To add session hosts on Azure Stack HCI:

      Parameter Value/Description
      Add virtual machines Select Yes. This shows several new options.
      Resource group This automatically defaults to the resource group you chose your host pool to be in on the Basics tab, but you can also select an alternative.
      Name prefix Enter a name for your session hosts, for example hp01-sh.

      This value is used as the prefix for your session hosts. Each session host has a suffix of a hyphen and then a sequential number added to the end, for example hp01-sh-0.

      This name prefix can be a maximum of 11 characters and is used in the computer name in the operating system. The prefix and the suffix combined can be a maximum of 15 characters. Session host names must be unique.
      Virtual machine type Select Azure Stack HCI virtual machine (Preview).
      Custom location Select the Azure Stack HCI cluster where you want to deploy your session hosts from the drop-down list.
      Images Select the OS image you want to use from the list, or select Manage VM images to manage the images available on the cluster you selected.
      Number of VMs Enter the number of virtual machines you want to deploy. You can add more later.
      Virtual processor count Enter the number of virtual processors you want to assign to each session host. This value isn't validated against the resources available in the cluster.
      Memory type Select Static for a fixed memory allocation, or Dynamic for a dynamic memory allocation.
      Memory (GB) Enter a number for the amount of memory in GB you want to assign to each session host. This value isn't validated against the resources available in the cluster.
      Maximum memory If you selected dynamic memory allocation, enter a number for the maximum amount of memory in GB you want your session host to be able to use.
      Minimum memory If you selected dynamic memory allocation, enter a number for the minimum amount of memory in GB you want your session host to be able to use.
      Network and security
      Network dropdown Select an existing network to connect each session to.
      Domain to join
      Select which directory you would like to join Active Directory is the only available option.
      AD domain join UPN Enter the User Principal Name (UPN) of an Active Directory user that has permission to join the session hosts to your domain.
      Password Enter the password for the Active Directory user.
      Specify domain or unit Select yes if you want to join session hosts to a specific domain or be placed in a specific organization unit (OU). If you select no, the suffix of the UPN will be used as the domain.
      Virtual Machine Administrator account
      Username Enter a name to use as the local administrator account for the new session hosts.
      Password Enter a password for the local administrator account.
      Confirm password Reenter the password.

    Once you've completed this tab, select Next: Workspace.

  6. Optional: On the Workspace tab, if you want to create a workspace and register the default desktop application group from this host pool, complete the following information:

    Parameter Value/Description
    Register desktop app group Select Yes. This registers the default desktop application group to the selected workspace.
    To this workspace Select an existing workspace from the list, or select Create new and enter a name, for example ws01.

    Once you've completed this tab, select Next: Advanced.

  7. Optional: On the Advanced tab, if you want to enable diagnostics settings, complete the following information:

    Parameter Value/Description
    Enable diagnostics settings Check the box.
    Choosing destination details to send logs to Select one of the following destinations:

    - Send to Log Analytics workspace

    - Archive to storage account

    - Stream to an event hub

    Once you've completed this tab, select Next: Tags.

  8. Optional: On the Tags tab, you can enter any name/value pairs you need, then select Next: Review + create.

  9. On the Review + create tab, ensure validation passes and review the information that is during deployment.

  10. Select Create to create the host pool.

  11. Once the host pool has been created, select Go to resource to go to the overview of your new host pool, then select Properties to view its properties.

Optional: Post deployment

If you also added session hosts to your host pool, there's some extra configuration you might need to do, which is covered in the following sections.

Licensing

To ensure your session hosts have licenses applied correctly, you'll need to do the following tasks:

  • If you have the correct licenses to run Azure Virtual Desktop workloads, you can apply a Windows or Windows Server license to your session hosts as part of Azure Virtual Desktop and run them without paying for a separate license. This is automatically applied when creating session hosts with the Azure Virtual Desktop service, but you may have to apply the license separately if you create session hosts outside of Azure Virtual Desktop. For more information, see Apply a Windows license to session host virtual machines.

  • If your session hosts are running a Windows Server OS, you'll also need to issue them a Remote Desktop Services (RDS) Client Access License (CAL) from a Remote Desktop Licensing Server. For more information, see License your RDS deployment with client access licenses (CALs).

  • For session hosts on Azure Stack HCI, you must license and activate the virtual machines you use before you use them with Azure Virtual Desktop. For activating Windows 10 and Windows 11 Enterprise multi-session, and Windows Server 2022 Datacenter: Azure Edition, use Azure verification for VMs. For all other OS images (such as Windows 10 and Windows 11 Enterprise, and other editions of Windows Server), you should continue to use existing activation methods. For more information, see Activate Windows Server VMs on Azure Stack HCI.

Microsoft Entra joined session hosts

If your users are going to connect to session hosts joined to Microsoft Entra ID, you'll also need to enable single sign-on or legacy authentication protocols, assign an RBAC role to users, and review your multifactor authentication policies so they can sign in to the VMs.

For more information about using Microsoft Entra joined session hosts, see Microsoft Entra joined session hosts.

Note

  • If you created a host pool, workspace, and registered the default desktop application group from this host pool in the same process, go to the section Assign users to an application group and complete the rest of the article.

  • If you created a host pool and workspace in the same process, but didn't register the default desktop application group from this host pool, go to the section Create an application group and complete the rest of the article.

  • If you didn't create a workspace, continue to the next section and complete the rest of the article.

Create a workspace

Next, to create a workspace, select the relevant tab for your scenario and follow the steps.

Here's how to create a workspace using the Azure portal.

  1. From the Azure Virtual Desktop overview, select Workspaces, then select Create.

  2. On the Basics tab, complete the following information:

    Parameter Value/Description
    Subscription Select the subscription you want to create the workspace in from the drop-down list.
    Resource group Select an existing resource group or select Create new and enter a name.
    Workspace name Enter a name for the workspace, for example workspace01.
    Friendly name Optional: Enter a friendly name for the workspace.
    Description Optional: Enter a description for the workspace.
    Location Select the Azure region where you want to deploy your workspace.

    Tip

    Once you've completed this tab, you can continue to optionally register an existing application group to this workspace, if you have one, and enable diagnostics settings by selecting Next: Application groups. Alternatively, if you want to create and configure these separately, select Review + create and go to step 9.

  3. Optional: On the Application groups tab, if you want to register an existing application group to this workspace, complete the following information:

    Parameter Value/Description
    Register application groups Select Yes, then select + Register application groups. In the new pane that opens, select the Add icon for the application group(s) you want to add, then select Select.

    Once you've completed this tab, select Next: Advanced.

  4. Optional: On the Advanced tab, if you want to enable diagnostics settings, complete the following information:

    Parameter Value/Description
    Enable diagnostics settings Check the box.
    Choosing destination details to send logs to Select one of the following destinations:

    - Send to Log Analytics workspace

    - Archive to storage account

    - Stream to an event hub

    Once you've completed this tab, select Next: Tags.

  5. Optional: On the Tags tab, you can enter any name/value pairs you need, then select Next: Review + create.

  6. On the Review + create tab, ensure validation passes and review the information that is used during deployment.

  7. Select Create to create the workspace.

  8. Once the workspace has been created, select Go to resource to go to the overview of your new workspace, then select Properties to view its properties.

Note

  • If you added an application group to this workspace, go to the section Assign users to an application group and complete the rest of the article.

  • If you didn't add an application group to this workspace, continue to the next section and complete the rest of the article.

Create an application group

To create an application group, select the relevant tab for your scenario and follow the steps.

Here's how to create an application group using the Azure portal.

  1. From the Azure Virtual Desktop overview, select Application groups, then select Create.

  2. On the Basics tab, complete the following information:

    Parameter Value/Description
    Subscription Select the subscription you want to create the application group in from the drop-down list.
    Resource group Select an existing resource group or select Create new and enter a name.
    Host pool Select the host pool for the application group.
    Location Metadata is stored in the same location as the host pool.
    Application group type Select the application group type for the host pool you selected from Desktop or RemoteApp.
    Application group name Enter a name for the application group, for example Session Desktop.

    Tip

    Once you've completed this tab, select Next: Review + create. You don't need to complete the other tabs to create an application group, but you'll need to create a workspace, add an application group to a workspace and assign users to the application group before users can access the resources.

    If you created an application group for RemoteApp, you will also need to add applications. For more information, see Add applications to an application group

  3. Optional: If you selected to create a RemoteApp application group, you can add applications to this application group. On the Application groups tab, select + Add applications, then select an application. For more information on the application parameters, see Publish applications with RemoteApp. At least one session host in the host pool must be powered on and available in Azure Virtual Desktop.

    Once you've completed this tab, or if you're creating a desktop application group, select Next: Assignments.

  4. Optional: On the Assignments tab, if you want to assign users or groups to this application group, select + Add Microsoft Entra users or user groups. In the new pane that opens, check the box next to the users or groups you want to add, then select Select.

    Once you've completed this tab, select Next: Workspace.

  5. Optional: On the Workspace tab, if you're creating a desktop application group, you can register the default desktop application group from the host pool you selected by completing the following information:

    Parameter Value/Description
    Register application group Select Yes. This registers the default desktop application group to the selected workspace.
    Register application group Select an existing workspace from the list.

    Once you've completed this tab, select Next: Advanced.

  6. Optional: If you want to enable diagnostics settings, on the Advanced tab, complete the following information:

    Parameter Value/Description
    Enable diagnostics settings Check the box.
    Choosing destination details to send logs to Select one of the following destinations:

    - Send to Log Analytics workspace

    - Archive to storage account

    - Stream to an event hub

    Once you've completed this tab, select Next: Tags.

  7. Optional: On the Tags tab, you can enter any name/value pairs you need, then select Next: Review + create.

  8. On the Review + create tab, ensure validation passes and review the information that is used during deployment.

  9. Select Create to create the application group.

  10. Once the application group has been created, select Go to resource to go to the overview of your new application group, then select Properties to view its properties.

Note

  • If you created a desktop application group, assigned users or groups, and registered the default desktop application group to a workspace, your assigned users can connect to the desktop and you don't need to complete the rest of the article.

  • If you created a RemoteApp application group, added applications, and assigned users or groups, go to the section Add an application group to a workspace and complete the rest of the article.

  • If you didn't add applications, assign users or groups, or register the application group to a workspace continue to the next section and complete the rest of the article.

Add an application group to a workspace

Next, to add an application group to a workspace, select the relevant tab for your scenario and follow the steps.

Here's how to add an application group to a workspace using the Azure portal.

  1. From the Azure Virtual Desktop overview, select Workspaces, then select the name of the workspace you want to assign an application group to.

  2. From the workspace overview, select Application groups, then select + Add.

  3. Select the plus icon (+) next to an application group from the list. Only application groups that aren't already assigned to a workspace are listed.

  4. Select Select. The application group is added to the workspace.

Assign users to an application group

Finally, to assign users or user groups to an application group, select the relevant tab for your scenario and follow the steps. We recommend you assign user groups to application groups to make ongoing management simpler.

Here's how to assign users or user groups to an application group to a workspace using the Azure portal.

  1. From the Azure Virtual Desktop overview, select Application groups.

  2. Select the application group from the list.

  3. From the application group overview, select Assignments.

  4. Select + Add, then search for and select the user account or user group you want to assign to this application group.

  5. Finish by selecting Select.

Next steps

Once you've deployed Azure Virtual Desktop, your users can connect. There are several platforms you can connect from, including from a web browser. For more information, see Remote Desktop clients for Azure Virtual Desktop and Connect to Azure Virtual Desktop with the Remote Desktop Web client.

Here are some extra tasks you might want to do: