Deploy Azure Virtual Desktop

Important

The following features are currently in preview:

  • Azure Virtual Desktop on Azure Stack HCI for Azure Government and for Azure operated by 21Vianet (Azure in China).
  • Azure Virtual Desktop on Azure Extended Zones.

For legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability, see Supplemental Terms of Use for Microsoft Azure Previews.

This article shows you how to deploy Azure Virtual Desktop on Azure or Azure Stack HCI by using the Azure portal, the Azure CLI, or Azure PowerShell. To deploy Azure Virtual Desktop, you:

  • Create a host pool.
  • Create a workspace.
  • Create an application group.
  • Create session host virtual machines (VMs).
  • Enable diagnostic settings (optional).
  • Assign users or groups to the application group for users to get access to desktops and applications.

You can do all these tasks in a single process when using the Azure portal, but you can also do them separately.

For more information on the terminology used in this article, see Azure Virtual Desktop terminology. For more information about the Azure Virtual Desktop service, see Azure Virtual Desktop service architecture and resilience.

Tip

The process covered in this article is an in-depth and adaptable approach to deploying Azure Virtual Desktop. If you want to try Azure Virtual Desktop with a more simple approach to deploy a sample Windows 11 desktop, see Tutorial: Deploy a sample Azure Virtual Desktop infrastructure with a Windows 11 desktop or use the quickstart.

Prerequisites

For a general idea of what's required and supported, such as operating systems (OSs), virtual networks, and identity providers, review Prerequisites for Azure Virtual Desktop. That article also includes a list of the supported Azure regions in which you can deploy host pools, workspaces, and application groups. This list of regions is where the metadata for the host pool can be stored. However, session hosts can be located in any Azure region and on-premises with Azure Stack HCI. For more information about the types of data and locations, see Data locations for Azure Virtual Desktop.

For more prerequisites, including role-based access control (RBAC) roles, select the relevant tab for your scenario.

Create a host pool

To create a host pool, select the relevant tab for your scenario and follow the steps.

Here's how to create a host pool by using the Azure portal:

  1. Sign in to the Azure portal.

  2. On the search bar, enter Azure Virtual Desktop and select the matching service entry.

  3. Select Host pools, and then select Create.

  4. On the Basics tab, complete the following information:

    Parameter Value/Description
    Subscription In the dropdown list, select the subscription where you want to create the host pool.
    Resource group Select an existing resource group, or select Create new and enter a name.
    Host pool name Enter a name for the host pool, such as hp01.
    Location Select the Azure region where you want to create your host pool.
    Validation environment Select Yes to create a host pool that's used as a validation environment.

    Select No (default) to create a host pool that isn't used as a validation environment.
    Preferred app group type Select the preferred application group type for this host pool: Desktop or RemoteApp. A desktop application group is created automatically when you use the Azure portal.
    Host pool type Select whether you want your host pool to be Personal or Pooled.

    If you select Personal, a new option appears for Assignment type. Select either Automatic or Direct.

    If you select Pooled, two new options appear for Load balancing algorithm and Max session limit.

    - For Load balancing algorithm, choose either breadth-first or depth-first, based on your usage pattern.

    - For Max session limit, enter the maximum number of users that you want load-balanced to a single session host. For more information, see Host pool load-balancing algorithms.

    Tip

    After you complete this tab, you can continue to optionally create session hosts, create a workspace, register the default desktop application group from this host pool, and enable diagnostic settings by selecting Next: Virtual Machines. Alternatively, if you want to create and configure these resources separately, select Next: Review + create and go to step 9.

  5. Optional: On the Virtual machines tab, if you want to add session hosts, expand one of the following sections and complete the information, depending on whether you want to create session hosts on Azure or on Azure Stack HCI. For guidance on sizing session host virtual machines, see Session host virtual machine sizing guidelines.

    To add session hosts on Azure, expand this section.
    Parameter Value/Description
    Add virtual machines Select Yes. This action shows several new options.
    Resource group This value defaults to the resource group that you chose to contain your host pool on the Basics tab, but you can select an alternative.
    Name prefix Enter a name prefix for your session hosts, such as hp01-sh.

    Each session host has a suffix of a hyphen and then a sequential number added to the end, such as hp01-sh-0.

    This name prefix can be a maximum of 11 characters and is used in the computer name in the operating system. The prefix and the suffix combined can be a maximum of 15 characters. Session host names must be unique.
    Virtual machine type Select Azure virtual machine.
    Virtual machine location Select the Azure region where you want to deploy your session hosts. This value must be the same region that contains your virtual network.
    Availability options Select from availability zones, availability set, or No infrastructure redundancy required. If you select availability zones or availability set, complete the extra parameters that appear.
    Security type Select from Standard, Trusted launch virtual machines, or Confidential virtual machines.

    - If you select Trusted launch virtual machines, options for secure boot and vTPM are automatically selected.

    - If you select Confidential virtual machines, options for secure boot, vTPM, and integrity monitoring are automatically selected. You can't opt out of vTPM when using a confidential VM.
    Image Select the OS image that you want to use from the list, or select See all images to see more. The full list includes any images that you created and stored as an Azure Compute Gallery shared image or a managed image.
    Virtual machine size Select a size. If you want to use a different size, select Change size, and then select from the list.
    Hibernate Select the box to enable hibernation. Hibernation is available only for personal host pools. For more information, see Hibernation in virtual machines. If you're using Microsoft Teams media optimizations, you should update the WebRTC redirector service to 1.45.2310.13001.

    FSLogix and app attach currently don't support hibernation. Don't enable hibernation if you're using FSLogix or app attach for your personal host pools.
    Number of VMs Enter the number of virtual machines that you want to deploy. You can deploy up to 400 session hosts at this point if you want (depending on your subscription quota), or you can add more later.

    For more information, see Azure Virtual Desktop service limits and Virtual Machines limits.
    OS disk type Select the disk type to use for your session hosts. We recommend that you use only Premium SSD for production workloads.
    OS disk size Select a size for the OS disk.

    If you enable hibernation, ensure that the OS disk is large enough to store the contents of the memory in addition to the OS and other applications.
    Confidential computing encryption If you're using a confidential VM, you must select the Confidential compute encryption checkbox to enable OS disk encryption.

    This checkbox appears only if you selected Confidential virtual machines as your security type.
    Boot Diagnostics Select whether you want to enable boot diagnostics.
    Network and security
    Virtual network Select your virtual network. An option to select a subnet appears.
    Subnet Select a subnet from your virtual network.
    Network security group Select whether you want to use a network security group (NSG).

    - None doesn't create a new NSG.

    - Basic creates a new NSG for the VM network adapter.

    - Advanced enables you to select an existing NSG.

    We recommend that you don't create an NSG here, but create an NSG on the subnet instead.
    Public inbound ports You can select a port to allow from the list. Azure Virtual Desktop doesn't require public inbound ports, so we recommend that you select No.
    Domain to join
    Select which directory you would like to join Select from Microsoft Entra ID or Active Directory, and complete the relevant parameters for the selected option.
    Virtual Machine Administrator account
    Username Enter a name to use as the local administrator account for the new session hosts.
    Password Enter a password for the local administrator account.
    Confirm password Reenter the password.
    Custom configuration
    Custom configuration script URL If you want to run a PowerShell script during deployment, you can enter the URL here.
    To add session hosts on Azure Stack HCI, expand this section.
    Parameter Value/Description
    Add virtual machines Select Yes. This action shows several new options.
    Resource group This value defaults to the resource group that you chose to contain your host pool on the Basics tab, but you can select an alternative.
    Name prefix Enter a name prefix for your session hosts, such as hp01-sh.

    Each session host has a suffix of a hyphen and then a sequential number added to the end, such as hp01-sh-0.

    This name prefix can be a maximum of 11 characters and is used in the computer name in the operating system. The prefix and the suffix combined can be a maximum of 15 characters. Session host names must be unique.
    Virtual machine type Select Azure Stack HCI virtual machine.
    Custom location In the dropdown list, select the Azure Stack HCI cluster where you want to deploy your session hosts.
    Images Select the OS image that you want to use from the list, or select Manage VM images to manage the images available on the cluster that you selected.
    Number of VMs Enter the number of virtual machines that you want to deploy. You can add more later.
    Virtual processor count Enter the number of virtual processors that you want to assign to each session host. This value isn't validated against the resources available in the cluster.
    Memory type Select Static for a fixed memory allocation, or select Dynamic for a dynamic memory allocation.
    Memory (GB) Enter a number for the amount of memory, in gigabytes, that you want to assign to each session host. This value isn't validated against the resources available in the cluster.
    Maximum memory If you selected dynamic memory allocation, enter a number for the maximum amount of memory, in gigabytes, that you want your session host to be able to use.
    Minimum memory If you selected dynamic memory allocation, enter a number for the minimum amount of memory, in gigabytes, that you want your session host to be able to use.
    Network and security
    Network dropdown Select an existing network to connect each session to.
    Domain to join
    Select which directory you would like to join Active Directory is the only available option. This includes using Microsoft Entra hybrid join.
    AD domain join UPN Enter the user principal name (UPN) of an Active Directory user who has permission to join the session hosts to your domain.
    Password Enter the password for the Active Directory user.
    Specify domain or unit Select yes if you want to join session hosts to a specific domain or be placed in a specific organizational unit (OU). If you select no, the suffix of the UPN is used as the domain.
    Virtual Machine Administrator account
    Username Enter a name to use as the local administrator account for the new session hosts.
    Password Enter a password for the local administrator account.
    Confirm password Reenter the password.
    To add session hosts on Azure Extended Zones, expand this section.
    Parameter Value/Description
    Add virtual machines Select Yes. This action shows several new options.
    Resource group This value defaults to the resource group that you chose to contain your host pool on the Basics tab, but you can select an alternative.
    Name prefix Enter a name prefix for your session hosts, such as hp01-sh.

    Each session host has a suffix of a hyphen and then a sequential number added to the end, such as hp01-sh-0.

    This name prefix can be a maximum of 11 characters and is used in the computer name in the operating system. The prefix and the suffix combined can be a maximum of 15 characters. Session host names must be unique.
    Virtual machine type Select Azure virtual machine.
    Virtual machine location Select the Azure region where you want to deploy your session hosts. This value must be the same region that contains your virtual network. Then select Deploy to an Azure Extended Zone.
    Azure Extended Zones
    Azure Extended Zone Select Los Angeles.
    Place the session host(s) behind an existing load balancing solution? Select the box. This action shows options for selecting a load balancer and a back-end pool.
    Select a load balancer Select an existing load balancer on the virtual network where you're deploying the session hosts.
    Select a backend pool Select a back-end pool on the load balancer where you want to place the session hosts.
    Availability options Select from availability zones, availability set, or No infrastructure dependency required. If you select availability zones or availability set, complete the extra parameters that appear.
    Security type Select from Standard, Trusted launch virtual machines, or Confidential virtual machines.

    - If you select Trusted launch virtual machines, options for secure boot and vTPM are automatically selected.

    - If you select Confidential virtual machines, options for secure boot, vTPM, and integrity monitoring are automatically selected. You can't opt out of vTPM when using a confidential VM.

    After you complete this tab, select Next: Workspace.

  6. Optional: On the Workspace tab, if you want to create a workspace and register the default desktop application group from this host pool, complete the following information:

    Parameter Value/Description
    Register desktop app group Select Yes. This action registers the default desktop application group to the selected workspace.
    To this workspace Select an existing workspace from the list, or select Create new and enter a name, such as ws01.

    After you complete this tab, select Next: Advanced.

  7. Optional: On the Advanced tab, if you want to enable diagnostic settings, complete the following information:

    Parameter Value/Description
    Enable diagnostics settings Select the box.
    Choosing destination details to send logs to Select one of the following destinations:

    - Send to a Log Analytics workspace

    - Archive to a storage account

    - Stream to an event hub

    After you complete this tab, select Next: Tags.

  8. Optional: On the Tags tab, you can enter any name/value pairs that you need, and then select Next: Review + create.

  9. On the Review + create tab, ensure that validation passes and review the information that will be used during deployment.

  10. Select Create to create the host pool.

  11. Select Go to resource to go to the overview of your new host pool, and then select Properties to view its properties.

Post-deployment tasks

If you also added session hosts to your host pool, you need to do some extra configuration, as described in the following sections.

Licensing

To ensure that your session hosts have licenses applied correctly, you need to do the following tasks:

  • If you have the correct licenses to run Azure Virtual Desktop workloads, you can apply a Windows or Windows Server license to your session hosts as part of Azure Virtual Desktop and run them without paying for a separate license. This license is automatically applied when you create session hosts by using the Azure Virtual Desktop service, but you might have to apply the license separately if you create session hosts outside Azure Virtual Desktop. For more information, see Apply a Windows license to session host virtual machines.

  • If your session hosts are running a Windows Server OS, you also need to issue them a Remote Desktop Services (RDS) client access license (CAL) from an RDS license server. For more information, see License your RDS deployment with client access licenses.

  • For session hosts on Azure Stack HCI, you must license and activate the virtual machines before you use them with Azure Virtual Desktop. For activating VMs that use Windows 10 Enterprise multi-session, Windows 11 Enterprise multi-session, and Windows Server 2022 Datacenter: Azure Edition, use Azure verification for VMs. For all other OS images (such as Windows 10 Enterprise, Windows 11 Enterprise, and other editions of Windows Server), you should continue to use existing activation methods. For more information, see Activate Windows Server VMs on Azure Stack HCI.

Microsoft Entra joined session hosts

For session hosts on Azure that are joined to Microsoft Entra ID, you also need to enable single sign-on or earlier authentication protocols, assign an RBAC role to users, and review your multifactor authentication policies so that users can sign in to the VMs. For more information, see Microsoft Entra joined session hosts.

Note

  • If you created a host pool and a workspace, and you registered the default desktop application group from this host pool in the same process, go to the section Assign users to an application group and complete the rest of the article. A desktop application group (whichever application group type you set as preferred) is created automatically when you use the Azure portal.

  • If you created a host pool and workspace in the same process, but you didn't register the default desktop application group from this host pool, go to the section Create an application group and complete the rest of the article.

  • If you didn't create a workspace, continue to the next section and complete the rest of the article.

Create a workspace

Next, to create a workspace, select the relevant tab for your scenario and follow the steps.

Here's how to create a workspace by using the Azure portal:

  1. On the Azure Virtual Desktop overview, select Workspaces, and then select Create.

  2. On the Basics tab, complete the following information:

    Parameter Value/Description
    Subscription In the dropdown list, select the subscription where you want to create the workspace.
    Resource group Select an existing resource group, or select Create new and enter a name.
    Workspace name Enter a name for the workspace, such as workspace01.
    Friendly name Optional: Enter a display name for the workspace.
    Description Optional: Enter a description for the workspace.
    Location Select the Azure region where you want to deploy your workspace.

    Tip

    After you complete this tab, you can continue to optionally register an existing application group to this workspace, if you have one, and enable diagnostic settings by selecting Next: Application groups. Alternatively, if you want to create and configure these resources separately, select Review + create and go to step 9.

  3. Optional: On the Application groups tab, if you want to register an existing application group to this workspace, complete the following information:

    Parameter Value/Description
    Register application groups Select Yes, and then select + Register application groups. On the new pane that opens, select the Add icon for the application groups that you want to add, and then choose Select.

    After you complete this tab, select Next: Advanced.

  4. Optional: On the Advanced tab, if you want to enable diagnostic settings, complete the following information:

    Parameter Value/Description
    Enable diagnostics settings Select the box.
    Choosing destination details to send logs to Select one of the following destinations:

    - Send to a Log Analytics workspace

    - Archive to a storage account

    - Stream to an event hub

    After you complete this tab, select Next: Tags.

  5. Optional: On the Tags tab, you can enter any name/value pairs that you need, and then select Next: Review + create.

  6. On the Review + create tab, ensure that validation passes and review the information that will be used during deployment.

  7. Select Create to create the workspace.

  8. Select Go to resource to go to the overview of your new workspace, and then select Properties to view its properties.

Note

  • If you added an application group to this workspace, go to the section Assign users to an application group and complete the rest of the article.

  • If you didn't add an application group to this workspace, continue to the next section and complete the rest of the article.

Create an application group

To create an application group, select the relevant tab for your scenario and follow the steps.

Here's how to create an application group by using the Azure portal:

  1. On the Azure Virtual Desktop overview, select Application groups, and then select Create.

  2. On the Basics tab, complete the following information:

    Parameter Value/Description
    Subscription In the dropdown list, select the subscription where you want to create the application group.
    Resource group Select an existing resource group, or select Create new and enter a name.
    Host pool Select the host pool for the application group.
    Location Metadata is stored in the same location as the host pool.
    Application group type Select the application group type for the host pool: Desktop or RemoteApp.
    Application group name Enter a name for the application group, such as Session Desktop.

    Tip

    After you complete this tab, select Next: Review + create. You don't need to complete the other tabs to create an application group, but you need to create a workspace, add an application group to a workspace, and assign users to the application group before users can access the resources.

    If you created an application group for RemoteApp, you also need to add applications to it. For more information, see Publish applications.

  3. Optional: If you chose to create a RemoteApp application group, you can add applications to this group. On the Application groups tab, select + Add applications, and then select an application. For more information on the application parameters, see Publish applications with RemoteApp. At least one session host in the host pool must be turned on and available in Azure Virtual Desktop.

    After you complete this tab, or if you're creating a desktop application group, select Next: Assignments.

  4. Optional: On the Assignments tab, if you want to assign users or groups to this application group, select + Add Microsoft Entra users or user groups. On the new pane that opens, select the box next to the users or groups that you want to add, and then choose Select.

    After you complete this tab, select Next: Workspace.

  5. Optional: On the Workspace tab, if you're creating a desktop application group, you can register the default desktop application group from the host pool that you selected by completing the following information:

    Parameter Value/Description
    Register application group Select Yes. This action registers the default desktop application group to the selected workspace.
    Register application group Select an existing workspace from the list.

    After you complete this tab, select Next: Advanced.

  6. Optional: If you want to enable diagnostic settings, on the Advanced tab, complete the following information:

    Parameter Value/Description
    Enable diagnostics settings Select the box.
    Choosing destination details to send logs to Select one of the following destinations:

    - Send to a Log Analytics workspace

    - Archive to a storage account

    - Stream to an event hub

    After you complete this tab, select Next: Tags.

  7. Optional: On the Tags tab, you can enter any name/value pairs that you need, and then select Next: Review + create.

  8. On the Review + create tab, ensure that validation passes and review the information that will be used during deployment.

  9. Select Create to create the application group.

  10. Select Go to resource to go to the overview of your new application group, and then select Properties to view its properties.

Note

  • If you created a desktop application group, assigned users or groups, and registered the default desktop application group to a workspace, your assigned users can connect to the desktop and you don't need to complete the rest of the article.

  • If you created a RemoteApp application group, added applications, and assigned users or groups, go to the section Add an application group to a workspace and complete the rest of the article.

  • If you didn't add applications, assign users or groups, or register the application group to a workspace, continue to the next section and complete the rest of the article.

Add an application group to a workspace

Next, to add an application group to a workspace, select the relevant tab for your scenario and follow the steps.

Here's how to add an application group to a workspace by using the Azure portal:

  1. On the Azure Virtual Desktop overview, select Workspaces, and then select the name of the workspace to which you want to assign an application group.

  2. On the workspace overview, select Application groups, and then select + Add.

  3. In the list, select the plus icon (+) next to an application group. Only application groups that aren't already assigned to a workspace are listed.

  4. Choose Select. The application group is added to the workspace.

Assign users to an application group

Finally, to assign users or user groups to an application group, select the relevant tab for your scenario and follow the steps. We recommend that you assign user groups to application groups to make ongoing management simpler.

Here's how to assign users or user groups to an application group by using the Azure portal:

  1. On the Azure Virtual Desktop overview, select Application groups.

  2. Select the application group from the list.

  3. On the application group overview, select Assignments.

  4. Select + Add, and then search for and select the user account or user group that you want to assign to this application group.

  5. Finish by choosing Select.

After you deploy Azure Virtual Desktop, your users can connect from several platforms, including a web browser. For more information, see Remote Desktop clients for Azure Virtual Desktop and Connect to Azure Virtual Desktop with the Remote Desktop Web client.

Here are some extra tasks that you might want to do: