Using Azure Virtual Desktop with Intune
Azure Virtual Desktop is a desktop and app virtualization service that runs on Microsoft Azure. It lets end users connect securely to a full desktop from any device. With Microsoft Intune, you can secure and manage your Azure Virtual Desktop VMs with policy and apps at scale, after they're enrolled.
Currently, for single-session, Intune supports Azure Virtual Desktop VMs that are:
- Running Windows 10 Enterprise, version 1809 or later, or running Windows 11.
- Set up as personal remote desktops in Azure.
- Microsoft Entra hybrid joined and enrolled in Intune in one of the following methods:
- Microsoft Entra joined and enrolled in Intune by enabling Enroll the VM with Intune in the Azure portal.
- Under the same tenant as Intune
For more information on Azure Virtual Desktop licensing requirements, see What is Azure Virtual Desktop?.
For information about working with multi-session remote desktops, see Windows 10 or Windows 11 Enterprise multi-session remote desktops.
Intune treats Azure Virtual Desktop personal VMs the same as Windows 10 or Windows 11 Enterprise physical desktops. This treatment lets you use some of your existing configurations and secure the VMs with compliance policy and conditional access. Intune management doesn't depend on or interfere with Azure Virtual Desktop management of the same virtual machine.
There are some limitations to keep in mind when managing Windows 10 Enterprise remote desktops:
All VM limitations listed in Using Windows 10 virtual machines also apply to Azure Virtual Desktop VMs.
Also, the following profiles aren't currently supported:
Make sure that the RemoteDesktopServices/AllowUsersToConnectRemotely policy isn't disabled.
Configuration and compliance policies for Secure Boot and features leveraging vTPM (Virtual Trusted Platform Module) are not supported at this time for Azure Virtual Desktop VMs.
The following Windows 10 desktop device remote actions aren't supported/recommended for Azure Virtual Desktop VMs:
- Autopilot reset
- BitLocker key rotation
- Fresh Start
- Remote lock
- Reset password
Deleting VMs from Azure leaves orphaned device records in Intune. They'll be automatically cleaned up according to the cleanup rules configured for the tenant.
The following table provides a set of known issues along with more information about each issue.
|Cannot auto-enroll if tenant has more than one MDM provider
|This issue will be fixed in the future.
|Modern apps, such as Universal Windows Platform (UWP) apps, are not working correctly if FSLogix is configured
|Using FSLogix and Modern apps could cause compatibility issues. We recommend that you don’t configure Modern apps when FSLogix is configured.