Enroll Azure Virtual Desktop session hosts in Microsoft Intune

  • 10 minutes

Azure Virtual Desktop session hosts can be managed through Microsoft Intune to provide centralized endpoint management, security configuration, compliance enforcement, application deployment, and update management. Integrating Azure Virtual Desktop with Microsoft Intune enables organizations to apply a consistent management framework across physical devices, Windows 365 Cloud PCs, and Azure-hosted virtual desktops.

This unit explains how Azure Virtual Desktop session hosts integrate with Microsoft Intune, the technical prerequisites for enrollment, supported identity scenarios, and the management capabilities available after enrollment.

Why enroll Azure Virtual Desktop session hosts in Intune?

Azure Virtual Desktop session hosts are Azure virtual machines that deliver desktop and application workloads to users through the Azure Virtual Desktop service. By enrolling session hosts into Microsoft Intune, administrators can use modern endpoint management to apply policies, deploy applications, manage updates, and monitor compliance from a centralized platform.

Managing Azure Virtual Desktop session hosts through Microsoft Intune helps organizations:

  • Apply configuration profiles and security baselines consistently
  • Deploy and update applications using Intune
  • Enforce compliance requirements
  • Manage Windows updates through Windows Update for Business
  • Monitor device health and configuration status
  • Integrate with Microsoft Defender and Conditional Access
  • Support Zero Trust security architectures

Using a unified management platform reduces administrative complexity and helps maintain consistent security and configuration standards across endpoint types.

Note

Azure Virtual Desktop session hosts enrolled in Intune are managed as Windows endpoints. However, Windows Enterprise multi-session hosts have specific support considerations, and not every Intune policy or feature behaves identically to a single-user Windows device.

Understand Azure Virtual Desktop session hosts

Azure Virtual Desktop uses Azure virtual machines known as session hosts to deliver remote desktop and remote application experiences.

A typical Azure Virtual Desktop deployment includes:

Component Purpose
Host pool Logical collection of session hosts providing desktop or application resources
Session host Azure virtual machine that runs user sessions
Application group Defines the applications or desktops available to users
Workspace Presents application groups and desktops to end users

Supported operating systems include:

  • Windows 11 Enterprise multi-session
  • Windows 10 Enterprise multi-session (currently supported but Windows 11 Enterprise multi-session is recommended for new deployments)
  • Windows Server 2025, Windows Server 2022, and Windows Server 2019 with Azure Virtual Desktop support

Important

Windows Server session hosts support Azure Virtual Desktop workloads but can't be enrolled in Microsoft Intune MDM. Microsoft Intune supports management of Windows client operating systems, including Windows Enterprise multi-session, but doesn't support MDM enrollment for Windows Server operating systems used as Azure Virtual Desktop session hosts.

Organizations deploying Windows Server–based session hosts should use Microsoft Configuration Manager, Group Policy, or other supported server management solutions to configure, secure, and manage these systems. Planning management and governance requirements for Windows Server session hosts is important in hybrid Azure Virtual Desktop environments where both Intune-managed Windows client session hosts and traditionally managed Windows Server session hosts may coexist.

Because session hosts are Windows-based virtual machines, they can participate in Microsoft Entra ID and Intune management in the same manner as other supported Windows devices.

Microsoft Entra ID and Intune integration

Identity is a foundational component of Azure Virtual Desktop management. Before a session host can be managed by Intune, it must have a valid Microsoft Entra device identity.

Supported deployment models include:

Join type Intune management support
Microsoft Entra joined Supported
Hybrid Microsoft Entra joined Supported

Microsoft Entra ID provides:

  • Device identity
  • User authentication
  • Conditional Access integration
  • Compliance-based access decisions
  • Single sign-on (SSO) capabilities

Microsoft Intune uses the Microsoft Entra device object to establish management relationships and apply policies to the session host.

Tip

Microsoft Entra joined session hosts are generally recommended for new Azure Virtual Desktop deployments because they simplify management, reduce on-premises dependencies, and align with cloud-native operating models.

Prerequisites for Intune enrollment

Several technical requirements must be met before Azure Virtual Desktop session hosts can be enrolled into Microsoft Intune.

Licensing requirements

Organizations typically require:

  • Microsoft Intune licenses for managed users
  • Microsoft Entra ID licensing appropriate for organizational requirements
  • Azure Virtual Desktop licensing entitlement
  • Eligible Windows licensing for Azure Virtual Desktop access

The exact licensing requirements depend on the organization's Microsoft subscription model and Azure Virtual Desktop deployment architecture.

Administrative permissions

Administrators should have appropriate permissions such as:

  • Intune Administrator
  • Cloud Device Administrator
  • Endpoint Security Manager
  • Global Administrator (when required)

Device and operating system requirements

Supported operating systems include:

  • Windows 11 Enterprise multi-session
  • Windows 10 Enterprise multi-session

Note

Windows Server isn't supported for Intune MDM enrollment. Only Windows 10 Enterprise multi-session and Windows 11 Enterprise multi-session are supported for Intune management.

The operating system must support Microsoft Entra registration and Intune management.

Network and connectivity requirements

Session hosts must be able to communicate with:

  • Microsoft Intune service endpoints
  • Microsoft Entra ID endpoints
  • Azure Virtual Desktop service endpoints
  • Windows Update service endpoints
  • Microsoft Defender service endpoints (if used)

Organizations using firewalls or proxy infrastructure should validate required Microsoft endpoint connectivity before deployment.

Automatic enrollment into Microsoft Intune

For Microsoft Entra joined and hybrid Microsoft Entra joined deployments, Azure Virtual Desktop session hosts can be enrolled into Intune through automatic MDM enrollment.

A typical enrollment workflow includes:

  1. Deploy the Azure Virtual Desktop session host.
  2. Join the device to Microsoft Entra ID or configure hybrid Microsoft Entra join.
  3. Enable automatic MDM enrollment through Microsoft Entra ID.
  4. Complete device registration with Microsoft Intune.
  5. Receive assigned policies, applications, and configurations.

Automatic enrollment reduces manual administrative effort and ensures newly deployed session hosts are managed consistently from the beginning of their lifecycle.

Note

Automatic enrollment is controlled through Microsoft Entra mobility (MDM and MAM) settings and user scope assignments. Administrators should verify that targeted users are included in the Intune MDM enrollment scope.

Verify Intune enrollment

After deployment, administrators should confirm that the session hosts have successfully enrolled and are receiving management policies.

To verify enrollment:

  1. Open the Microsoft Intune admin center.
  2. Navigate to Devices > Windows.
  3. Locate the Azure Virtual Desktop session host.
  4. Review device details and management status.
  5. Confirm compliance status and policy assignments.

Useful validation areas include:

  • Device inventory
  • Compliance status
  • Configuration profile deployment status
  • Endpoint security policy status
  • Windows Update reporting
  • Endpoint Analytics data (where applicable)

Successful enrollment should result in the device appearing as an Intune-managed Windows endpoint with an active Microsoft Entra device identity.

Manage Azure Virtual Desktop session hosts with Intune

After enrollment, administrators can use Microsoft Intune to manage Azure Virtual Desktop session hosts throughout their lifecycle.

Common management capabilities include:

Management capability Purpose
Configuration profiles Configure operating system settings and device restrictions
Settings catalog policies Deploy granular Windows configuration settings
Compliance policies Evaluate and enforce compliance requirements
Endpoint security policies Configure Microsoft Defender, Firewall, BitLocker, and security controls
Security baselines Apply Microsoft-recommended security configurations
Windows Update for Business Manage update deployment and servicing
Application deployment Deploy Microsoft Store, Win32, and line-of-business applications
Endpoint Analytics Analyze performance, startup, and reliability metrics

This management model enables consistent governance across cloud-hosted and physical endpoints.

Multi-session considerations

Most Azure Virtual Desktop deployments use Windows Enterprise multi-session operating systems. These devices differ significantly from traditional single-user Windows endpoints.

Administrators should account for:

  • Multiple concurrent user sessions
  • Shared operating system resources
  • User-based and device-based policy interactions
  • Application compatibility in multi-user environments
  • Performance impact of security and monitoring controls

Not all Intune settings are optimized for multi-session workloads, and some user-targeted policies may behave differently compared to single-user devices.

Organizations should validate:

  • Configuration profiles
  • Compliance policies
  • Security baselines
  • Application deployments
  • Remediation scripts

before deploying them broadly across production host pools.

Important

Always validate Intune policies in a dedicated pilot host pool before deployment to production environments. Multi-session workloads can expose configuration issues that may not appear on standard Windows devices.

Security and compliance integration

Microsoft Intune integrates with multiple Microsoft security services to strengthen Azure Virtual Desktop security.

Organizations can implement:

  • Microsoft Entra Conditional Access
  • Multifactor authentication (MFA)
  • Microsoft Defender for endpoint security
  • Compliance-based access control
  • Security baselines
  • Endpoint detection and response (EDR)
  • Attack surface reduction (ASR) rules

When combined with Conditional Access, device compliance information can be used as a signal in access decisions, supporting a Zero Trust security model.

Best practices for Intune-managed Azure Virtual Desktop session hosts

Organizations should adopt operational best practices when managing Azure Virtual Desktop session hosts through Intune.

Recommended practices include:

  • Use pilot host pools to validate new policies and applications
  • Standardize session host images and deployment processes
  • Use Azure Compute Gallery for image management where appropriate
  • Monitor compliance, update status, and security posture regularly
  • Test applications for multi-session compatibility
  • Apply Microsoft security baselines after validation
  • Use role-based access control (RBAC) to delegate administration
  • Review policy conflicts and assignment targeting regularly
  • Document configuration standards and deployment procedures

Consistent management and governance practices improve reliability, simplify troubleshooting, strengthen security, and support scalable Azure Virtual Desktop operations.