Edit

Tutorial 2-3: Deploy Azure Virtual Desktop workload in Azure Enclave

This tutorial guides you through deploying Azure Virtual Desktop in Azure Enclave. You create Azure Virtual Desktop infrastructure including host pools, session hosts, application groups, and FSLogix storage, all secured within your enclave boundary.

In this tutorial, you learn how to:

  • Deploy Azure Virtual Desktop community endpoint for external connectivity
  • Deploy Azure Virtual Desktop enclave infrastructure
  • Deploy Azure Virtual Desktop workload with session hosts and control plane
  • Configure identity and encryption
  • Access Azure Virtual Desktop via encrypted connections
  • Validate the deployment

Prerequisites

  • Completion of Tutorial 2-2: Create Azure Enclave Environment
  • Azure Virtual Desktop enclave with management and session hosts subnets
  • Common dependencies (Key Vault, managed identity, disk encryption set) from Tutorial 2-2
  • Private DNS zones for Azure Virtual Desktop deployed
  • Virtual Machine Contributor role on the Azure Virtual Desktop workload resource group
  • Active Directory or Microsoft Entra ID configured for user authentication

Before you begin

Identity solution requirements

Azure Virtual Desktop requires an identity solution for user authentication. You have two options:

Solution Requirements Best For
Microsoft Entra ID - Microsoft Entra tenant
- Users synced or cloud-only
- Microsoft Entra joined VMs
Cloud-native organizations
Active Directory Domain Services (AD DS) - Domain controller accessible from enclave
- Domain join for VMs
- Can be hybrid with Microsoft Entra Connect
Existing AD infrastructure

This tutorial supports both options. Choose the appropriate parameters during deployment.

Resource naming conventions

This tutorial uses example names. Use your organization's naming convention:

  • Enclave: avd-enclave
  • Workload: avd-workload
  • Resource group prefix: rg-avd-
  • Host pool: hp-prod-01

Deploy Azure Virtual Desktop community endpoint

The Azure Virtual Desktop community endpoint enables session hosts to communicate with Azure Virtual Desktop control plane services.

Note

If you created the Azure Virtual Desktop community endpoint in Tutorial 2-2, you can skip this section.

Use service catalog template

  1. In the Azure portal, navigate to your Azure Virtual Desktop workload in the Azure Virtual Desktop enclave.
  2. Select + Add an Azure Service.
  3. Search for and select Azure Virtual Desktop Community Endpoint.
  4. Configure the deployment:
    • Resource group: Select your workload resource group (for example, rg-avd-workload)
    • Community Resource Name: Select your community (for example, fabrikam)
    • Community Endpoint Name: ce-avd-services
    • Include Azure Virtual Desktop URLs: Check all required URLs:
      • *.wvd.microsoft.com
      • login.microsoftonline.com
      • management.azure.com
      • *.prod.warm.ingest.monitor.core.windows.net
  5. Select Review + Add and then Create.
  6. Wait for deployment to complete (~5-10 minutes).

Deploy Azure Virtual Desktop enclave infrastructure

The Azure Virtual Desktop enclave template prepares your enclave with required subnets and network security groups.

Use service catalog template

  1. In your Azure Virtual Desktop workload, select + Add an Azure Service.

  2. Search for and select Azure Virtual Desktop Enclave.

  3. Configure the deployment:

    Basic settings:

    • Resource group: rg-avd-infrastructure
    • Enclave Resource Name: Select avd-enclave
    • Location: Same as enclave region

    Network configuration:

    • Virtual Network Name: Leave default (uses enclave virtual network)
    • Management Subnet Name: AzureVirtualDesktopManagementSubnet
    • Session Hosts Subnet Name: AzureVirtualDesktopSessionHostsSubnet
    • Create NSGs: Yes (if not already created)

    Private DNS:

    • Create Private DNS Zones: No (already created in Tutorial 2-2)
    • Link to VNet: Yes
  4. Select Review + Add and then Create.

  5. Wait for deployment to complete (~10-15 minutes).

Deploy Azure Virtual Desktop workload

Now deploy the Azure Virtual Desktop workload with host pool, session hosts, and supporting infrastructure.

Select the Azure Virtual Desktop workload template

  1. In your Azure Virtual Desktop workload, select + Add an Azure Service.
  2. Search for and select Azure Virtual Desktop Workload.
  3. Configure the deployment using the following parameters:
Configuration Section Parameters
Basics tab - Resource group: rg-avd-workload
- Location: Same as enclave region
- Workload Name: avd-prod
Host Pool Configuration - Host Pool Name: hp-prod-01
- Host Pool Type: Pooled
- Load Balancer Type: BreadthFirst
- Max Session Limit: 10 (for pooled, sessions per host)
- Validation Environment: No (unless testing)
Session Host Configuration - Session Host Name Prefix: avd-sh-
- Virtual Machine Size: Standard_D4s_v5 (4 vCPU, 16 GB of RAM minimum)
- Number of Session Hosts: 2 (start small, scale later)
- OS Disk Type: Premium_LRS
- Image Reference:
  - Publisher: MicrosoftWindowsDesktop
  - Offer: Windows-11
  - SKU: win11-23h2-avd
  - Version: latest
Network Configuration - Virtual Network Resource Group: avd-enclave-HostedResources-<guid> (enclave MRG)
- Virtual Network Name: Enclave virtual network name
- Subnet Name: AzureVirtualDesktopSessionHostsSubnet
Identity and Domain For Microsoft Entra ID:
- Identity Type: AzureADJoin
- Entra Tenant ID: Your Microsoft Entra tenant ID
- Intune Enrollment: Yes (recommended)

For Active Directory Domain Services:
- Identity Type: DomainJoin
- Domain FQDN: contoso.com
- OU Path: OU=AVD,DC=contoso,DC=com (optional)
- Domain Join Account UPN: avd-join@contoso.com
- Domain Join Password: (secure password)
Workspace Configuration - Workspace Name: ws-avd-prod
- Workspace Friendly Name: Production Azure Virtual Desktop Workspace
- Application Group Name: ag-desktop-prod
- Application Group Type: Desktop (or RemoteApp)
Storage Configuration (FSLogix) - Storage Account Name: stavdfslogix<uniqueid>
- Storage Account Type: Premium_LRS (for best performance)
- File Share Name: profiles
- File Share Quota (GB): 1024 (1 TB)
- Enable Azure Files Private Endpoint: Yes
- Private Endpoint Subnet: AzureVirtualDesktopManagementSubnet
Encryption Configuration - Enable CMK Encryption: Yes
- Disk Encryption Set Resource ID: Resource ID from Tutorial 2-2 common dependencies
- User Assigned Identity Resource ID: Resource ID from Tutorial 2-2 common dependencies
Monitoring - Enable Diagnostic Settings: Yes
- Log Analytics Workspace: Select workspace from shared services or create new
- Enable Azure Virtual Desktop Insights: Yes (recommended)
  1. Select Review + Create.
  2. Review all settings carefully.
  3. Select Create.

Note

Deployment takes 30-60 minutes depending on the number of session hosts.

Configure enclave endpoints for management

Create enclave endpoints to allow management traffic from admin resources.

  1. Navigate to your Azure Virtual Desktop enclave.

  2. Select Enclave endpoints then select + Create.

  3. Configure the endpoint:

    • Name: ee-avd-management
    • Description: Allow management access to Azure Virtual Desktop resources
  4. Add rules:

    Rule 1: RDP to Session Hosts

    • Name: rdp-to-hosts
    • Protocol: TCP
    • Port: 3389
    • Source: Admin subnet CIDR or bastion subnet

    Rule 2: PowerShell Remoting

    • Name: winrm
    • Protocol: TCP
    • Port: 5985,5986
    • Source: Admin subnet CIDR
  5. Select Review + create and then Create.

Configure enclave connection for FSLogix

If your FSLogix storage is in a different enclave, create an enclave connection.

  1. Navigate to your Azure Virtual Desktop enclave.
  2. Select Enclave connections then select + Create.
  3. Configure the connection:
    • Name: conn-avd-to-storage
    • Source enclave: avd-enclave
    • Destination enclave endpoint: Select endpoint in shared services enclave
  4. Select Review + create and then Create.

Assign users to application group

Users need to be assigned to the application group to access Azure Virtual Desktop.

Using Azure portal

  1. Navigate to your Application Group (for example, ag-desktop-prod).
  2. Select Assignments then select + Add.
  3. Search for and select users or groups.
  4. Select Select.

Using Azure PowerShell

# Variables
$resourceGroup = "rg-avd-workload"
$appGroupName = "ag-desktop-prod"
$userPrincipalName = "user@contoso.com"

# Get the application group
$appGroup = Get-AzWvdApplicationGroup -ResourceGroupName $resourceGroup -Name $appGroupName

# Get the user object ID
$user = Get-AzADUser -UserPrincipalName $userPrincipalName

# Assign user to application group
New-AzRoleAssignment -ObjectId $user.Id `
    -RoleDefinitionName "Desktop Virtualization User" `
    -ResourceName $appGroupName `
    -ResourceGroupName $resourceGroup `
    -ResourceType 'Microsoft.DesktopVirtualization/applicationGroups'

Access Azure Virtual Desktop from client

Users can access Azure Virtual Desktop through various clients.

Web client

  1. Navigate to https://client.wvd.microsoft.com/arm/webclient
  2. Sign in with Microsoft Entra credentials
  3. Select the published desktop or application
  4. Session connects through enclave connectivity

Windows App

  1. Download the Windows App from the Microsoft Store or direct download
  2. Install and launch Windows App
  3. Select Add account or + to add a workspace
  4. Sign in with your Microsoft Entra credentials
  5. Your Azure Virtual Desktop resources automatically appear
  6. Select a desktop or application to connect

Note

Windows App replaces the legacy Remote Desktop client and provides a modern experience for accessing Azure Virtual Desktop, Azure Virtual Desktop, and other remote resources.

Validate the deployment

Perform these validation steps to ensure proper deployment:

Check session host status

  1. Navigate to your Host Pool (for example, hp-prod-01)
  2. Select Session hosts
  3. Verify all hosts show status: Available
  4. Check Agent version is current
  5. Verify Domain joined status

Test user session

  1. Sign in as a test user
  2. Launch a desktop or application
  3. Verify connectivity and performance
  4. Check FSLogix profile loads correctly
  5. Test application functionality

Verify encryption

  1. Navigate to a session host VM
  2. Select Disks
  3. Select the OS disk
  4. Verify Encryption type: Encryption at rest with a customer-managed key
  5. Check encryption set is applied

Check diagnostic logs

  1. Navigate to the Host Pool
  2. Select Diagnostic settings
  3. Verify logs are flowing to Log Analytics
  4. Query logs for connection events:
WVDConnections
| where TimeGenerated > ago(1h)
| where State == "Connected"
| project TimeGenerated, UserName, ClientOS, ClientType

Validate network connectivity

  1. Connect to a session host via bastion or admin VM
  2. Test connectivity to required endpoints:
# Test Azure Virtual Desktop control plane
Test-NetConnection -ComputerName rdweb.wvd.microsoft.com -Port 443

# Test Azure Storage (FSLogix)
Test-NetConnection -ComputerName $storageAccountName.file.core.windows.net -Port 445

# Test Microsoft Entra ID
Test-NetConnection -ComputerName login.microsoftonline.com -Port 443

Monitor Azure Virtual Desktop Insights

Enable and configure Azure Virtual Desktop Insights for comprehensive monitoring.

  1. Navigate to your Host Pool
  2. Select Insights
  3. Select Open Insights workbook
  4. Review metrics:
    • Connection success rate
    • Active sessions
    • Session host performance
    • User input delays
    • Resource utilization

Troubleshooting common issues

Session hosts not joining domain

Symptom: Session hosts show "Domain Join Error"

Solutions:

  • Verify domain join credentials are correct
  • Check enclave connectivity to domain controllers
  • Ensure DNS resolution works for domain FQDN
  • Verify OU path is correct (if specified)

Users can't connect

Symptom: Connection fails during authentication

Solutions:

  • Verify users are assigned to application group
  • Check RDP properties allow connections
  • Verify community endpoints are created
  • Check network security group rules

FSLogix profiles not loading

Symptom: Users get temporary profile

Solutions:

  • Verify storage account private endpoint is created
  • Check SMB connectivity on port 445
  • Verify users have RBAC permissions on file share
  • Check virtual network link for private DNS zone

Poor performance

Symptom: Slow response sessions

Solutions:

  • Check session host VM size is adequate
  • Verify Premium SSD disks are used
  • Review host pool load balancing settings
  • Check max sessions per host configuration
  • Monitor network latency in Azure Virtual Desktop Insights

Clean up resources

To avoid ongoing charges, delete resources when no longer needed:

Delete in order

  1. Remove user assignments from application groups
  2. Delete application groups
  3. Delete workspace
  4. Delete host pool (stops/deletes session hosts)
  5. Delete storage account
  6. Delete disk encryption set
  7. Delete Key Vault key
  8. Delete managed identity
  9. Delete workload resource groups

Using Azure CLI

# Delete resource group (deletes all contained resources)
az group delete --name rg-avd-workload --yes --no-wait
az group delete --name rg-avd-infrastructure --yes --no-wait

Warning

Deleting resources is permanent and can't be undone.

Next steps

With Azure Virtual Desktop deployed, you can now deploy Azure Kubernetes Service workloads.

Tutorial 2-4: Deploy Azure Kubernetes Service workload