Windows 10 or Windows 11 Enterprise multi-session remote desktops
Azure Virtual Desktop multi-session with Microsoft Intune is now generally available.
You can now use Microsoft Intune to manage Windows 10 or Windows 11 Enterprise multi-session remote desktops in the Microsoft Endpoint Manager admin center just as you can manage a shared Windows 10 or Windows 11 client device. When managing such virtual machines (VMs), you'll be able to use both device-based configuration targeted to devices or user-based configuration targeted to users.
Windows 10 or Windows 11 Enterprise multi-session is a new Remote Desktop Session Host exclusive to Azure Virtual Desktop on Azure. It provides the following benefits:
- Allows multiple concurrent user sessions.
- Gives users a familiar Windows 10 or Windows 11 experience.
- Supports use of existing per-user Microsoft 365 licensing.
You can manage Windows 10 and Windows 11 Enterprise multi-session VMs created in Azure Government Cloud in US Government Community (GCC), GCC High, and DoD.
Microsoft Intune support for Azure Virtual Desktop multi-session is not currently available for Citrix DaaS and VMware Horizon Cloud.
Device configuration support in Microsoft Intune for Windows 10 or Windows 11 Enterprise multi-session is generally available (GA). This means policies defined in the OS scope and apps configured to install in the system context can be applied to Azure Virtual Desktop multi-session VMs when assigned to device groups.
Device-based configuration cannot be assigned to users and user-based configuration cannot be assigned to devices. It will be reported as Error or Not applicable.
User configuration support in Microsoft Intune for Windows 11 multi-session VMs is generally available. With this you are able to:
Configure user scope policies using Settings catalog and assign to groups of users. You can use the search bar to search all configurations with scope set to "user".
Configure user certificates and assign to users.
Configure PowerShell scripts to install in the user context and assign to users.
User configuration support for Windows 10 multi-session builds will be available in the future.
This feature supports Windows 10 or Windows 11 Enterprise multi-session VMs, which are:
- Running Windows 10 multi-session, version 1903 or later, or running Windows 11 multi-session.
- Set up as remote desktops in pooled host pools that have been deployed through Azure Resource Manager.
- Running an Azure Virtual Desktop agent version of 1.0.2944.1400 or later.
- Hybrid Azure AD-joined and enrolled in Microsoft Intune using one of the following methods:
- Azure AD-joined and enrolled in Microsoft Intune by enabling Enroll the VM with Intune in the Azure portal.
- Licensing: The appropriate Azure Virtual Desktop and Microsoft Intune license is required if a user or device benefits directly or indirectly from the Microsoft Intune service, including access to the Microsoft Intune service through a Microsoft API. For more information, go to Microsoft Intune licensing.
If you're joining session hosts to Azure Active Directory Domain Services, you can't manage them using Intune.
If you’re using Windows 10, versions 2004, 20H2, or 21H1 builds, make sure that you install the July 2021 Windows Update or a later Windows update. Otherwise, remote actions in the Microsoft Endpoint Manager admin center, like remote sync, won’t work correctly. As a result, pending policies assigned to devices might take up to 8 hours to be applied.
See What is Azure Virtual Desktop? for more information about Azure Virtual Desktop licensing requirements.
Windows 10 or Windows 11 Enterprise multi-session VMs are treated as a separate OS edition and some Windows 10 or Windows 11 Enterprise configurations won’t be supported for this edition. Using Microsoft Intune doesn't depend on or interfere with Azure Virtual Desktop management of the same VM.
Create the configuration profile
To configure configuration policies for Windows 10 or Windows 11 Enterprise multi-session VMs, you'll need to use the Settings catalog in the Microsoft Endpoint Manager admin center.
The existing device configuration profile templates aren't supported for Windows 10 or Windows 11 Enterprise multi-session VMs, except for the following templates:
- Trusted certificate - Device (machine) when targeting devices and User when targeting users
- SCEP certificate - Device (machine) when targeting devices and User when targeting users
- PKCS certificate - Device (machine) when targeting devices and User when targeting users
- VPN - Device Tunnel only
Microsoft Intune won't deliver unsupported templates to multi-session devices, and those policies appear as Not applicable in reports.
If you use co-management for Intune and Configuration Manager, in Configuration Manager, set the workload slider for Resource Access Policies to Intune or Pilot Intune. This setting allows Windows 10 and Windows 11 clients to start the process of requesting the certificate.
To configure policies
- Sign in to the Microsoft Endpoint Manager admin center and choose Devices > Windows > Configuration profiles > Create Profile.
- For Platform, select Windows 10 and later.
- For Profile type, select Settings catalog, or when deploy settings by using a Template, select Templates and then the name of the supported Template.
- Select Create.
- On the Basics page, provide a Name and (optionally) Description > Next.
- On the Configuration settings page, select Add settings.
- Under Settings picker, select Add filter and select the following options:
- Key: OS edition
- Operator: ==
- Value: Enterprise multi-session
- Select Apply. The filtered list now shows all configuration profile categories that support Windows 10 or Windows 11 Enterprise multi-session. The scope for a policy is shown in parantheses. For user scope it shows as (User) and all the rest are policies with device scope.
- From the filtered list, pick the categories that you want.
- For each category you pick, select the settings that you want to apply to your new configuration profile.
- For each setting, select the value that you want for this configuration profile.
- Select Next when you’re done adding settings.
- On the Assignments page, choose the Azure AD groups containing the devices to which you want this profile assigned > Next.
- On the Scope tags page, optionally add the scope tags you want to apply to this profile > Next. For more information about scope tags, see Use role-based access control and scope tags for distributed IT.
- On the Review + create page, choose Create to create the profile.
Windows 10 or Windows 11 Administrative Templates are supported for Windows 10 or Windows 11 Enterprise multi-session via the Settings catalog with some limitations:
- ADMX-backed policies are supported. Some policies aren't yet available in the Settings catalog.
- ADMX-ingested policies are supported, including Office and Microsoft Edge settings available in Office administrative template files and Microsoft Edge administrative template files. For a complete list of ADMX-ingested policy categories, see Win32 and Desktop Bridge app policy configuration. Some ADMX ingested settings won't be applicable to Windows 10 or Windows 11 Enterprise multi-session.
- ADMX-ingested policies are supported for user targeting only on Windows 11 at this time.
Compliance and Conditional access
You can secure your Windows 10 or Windows 11 Enterprise multi-session VMs by configuring compliance policies and Conditional Access policies in the Microsoft Endpoint Manager admin center. The following compliance policies are supported on Windows 10 or Windows 11 Enterprise multi-session VMs:
- Minimum OS version
- Maximum OS version
- Valid operating system builds
- Simple passwords
- Password type
- Minimum password length
- Password Complexity
- Password expiration (days)
- Number of previous passwords to prevent reuse
- Microsoft Defender Antimalware
- Microsoft Defender Antimalware security intelligence up-to-date
- Real-time protection
- Microsoft Defender Antimalware minimum version
- Defender ATP Risk score
All other policies report as Not applicable.
You’ll need to create a new compliance policy and target it to the device group containing your multi-session VMs. User-targeted compliance configurations aren’t supported.
Conditional Access policies support both user and device based configurations for Windows 10 or Windows 11 Enterprise multi-session.
Conditional Access for Exchange on-premises isn't supported for Windows 10 or Windows 11 Enterprise multi-session VMs.
Configuration and compliance policies for BitLocker, Secure Boot, and features leveraging vTPM (Virtual Trusted Platform Module) are not supported at this time for Azure Virtual Desktop VMs.
You can configure profiles under Endpoint security for multi-session VMs by selecting Platform Windows 10, Windows 11, and Windows Server. If that Platform is not available, the profile is not supported on multi-session VMs.
For more information, see Manage device security with endpoint security policies in Microsoft Intune
Tamper protection is not supported on Azure Virtual Desktop VMs today. This functionality will be enabled in a future release.
All Windows 10 or Windows 11 apps can be deployed to Windows 10 or Windows 11 Enterprise multi-session with the following restrictions:
- All apps must be configured to install in the system/device context and be targeted to devices. Web apps are always applied in the user context by default so they won't apply to multi-session VMs.
- All apps must be configured with Required or Uninstall app assignment intent. The Available apps deployment intent isn't supported on multi-session VMs.
- If a Win32 app configured to install in the system context has dependencies or supersedence relationship on any apps configured to install in the user context, the app won't be installed. To apply to a Windows 10 or Windows 11 Enterprise multi-session VM, create a separate instance of the system context app or make sure all app dependencies are configured to install in the system context.
- Azure Virtual Desktop RemoteApp and MSIX app attach aren't currently supported in Microsoft Intune.
Scripts configured to run in the system context and assigned to devices are supported on Windows 10 or Windows 11 Enterprise multi-session. This can be configured under Script settings by setting Run this script using the logged on credentials to No.
Scripts configured to run in the user context and assigned to users are supported on Windows 11 Enterprise multi-session. This can be configured under Script settings by setting Run this script using the logged on credentials to Yes.
Windows Update for Business
You can use the settings catalog to manage Windows Update settings for quality (security) updates for Windows 10 or Windows 11 Enterprise multi-session VMs. To find the supported settings in the catalog, configure a settings filter for Enterprise multi-session and then expand the Windows Update for Business category.
The following settings are available in the catalog, with the links opening the Windows CSP documentation:
- Active Hours End
- Active Hours Max Range
- Active Hours Start
- Block "Pause Updates" ability
- Configure Deadline Grace Period
- Defer Quality Updates Period (Days)
- Pause Quality Updates Start Time
- Quality Update Deadline Period (Days)
The following Windows 10 or Windows 11 desktop device remote actions aren't supported and will be grayed out in the UI and disabled in Graph for Windows 10 or Windows 11 Enterprise multi-session VMs:
- Autopilot reset
- BitLocker key rotation
- Fresh Start
- Remote lock
- Reset password
Deleting VMs from Azure will leave orphaned device records in the Microsoft Endpoint Manager admin center. They'll be automatically cleaned up according to the cleanup rules configured for the tenant.
Security baselines aren't available for Windows 10 or Windows 11 Enterprise multi-session at this time. We recommend that you review the Available security baselines and configure the recommended policies and values in the Settings catalog.
Additional configurations that aren't supported on Windows 10 or Windows 11 Enterprise multi-session VMs
Out of Box Experience (OOBE) enrollment isn't supported for Window 10 or Windows 11 Enterprise multi-session. This restriction means that:
- Windows Autopilot and Commercial OOBE aren't supported.
- Enrollment status page isn’t supported.
Windows 10 or Windows 11 Enterprise multi-session managed by Microsoft Intune isn't currently supported for China Sovereign Cloud.
The following sections provide troubleshooting guidance for common issues.
|Enrollment of hybrid Azure AD joined virtual machine fails||
|Enrollment of Azure AD joined virtual machine fails||
|Settings catalog policy fails||Confirm the VM is enrolled using device credentials. Enrollment with user credentials isn't currently supported for Windows 10 or Windows 11 Enterprise multi-session.|
|Configuration policy didn't apply||Templates (except for Certificates) aren't supported on Windows 10 or Windows 11 Enterprise multi-session. All policies must be created via the settings catalog.|
|Configuration policy reports as Not applicable||Some policies aren't applicable to Azure Virtual Desktop VMs.|
|Microsoft Edge/Microsoft Office ADMX policy doesn't show up when I apply the filter for Windows 10 or Windows 11 Enterprise multi-session edition||Applicability for these settings isn't based on the Windows version or edition but on whether those apps have been installed on the device. To add these settings to your policy, you may have to remove any filters applied in the settings picker.|
|App configured to install in system context didn't apply||Confirm the app doesn't have a dependency or supersedence relationship on any apps configured to install in user context. User context apps aren't currently supported on Windows 10 or Windows 11 Enterprise multi-session.|
|Update rings for Windows 10 and later policy didn't apply||Windows Update for Business policies aren't currently supported.|