Microsoft has made the deployment of Intune device configuration to Azure Virtual Desktop (AVD) multi-session virtual machines (VMs) generally available. Prior to this, Intune only supported the management of single-session AVD VMs. What this means is that now, you can use Intune to manage the configuration of policies on Azure Active Directory-joined AVD multi-session VMs.
This new feature rolls out in the Intune 2204 release. All you’ll need to do is to go into your Microsoft Endpoint Manager admin centre and you’ll be able to deploy to your Windows 10 or Windows 11 multi-session VMs from there.
Pre-requisites for Intune Device Configuration
There are a couple of things you first need to make sure you have before you go ahead with using this new feature. You’ll need:
- A Windows 10 multi-session image running 1903 or later or Windows 11 image.
- Azure Active Directory (AAD) joined or Hybrid Azure AD-joined
- A pooled hostpool
- Intune enrollment for any of the following options:
- An Azure AD group policy set to use Device Credentials and set to automatically enroll Hybrid Azure AD-joined devices.
- System Centre Configuration Manager (SCCM) co-management to enroll in Microsoft Endpoint Manager (MEM) for Intune.
Capabilities for AVD VMs
The following capabilities are available now on Intune with AVD.
- Enroll VMs automatically in Intune when provisioning Azure AD-joined host pools. This makes it so that, when end-users go to access them, they’re compliant and ready to use.
- Use the settings catalogue from MEM admin centre to manage both single and multi-session VMs.
- Boost the security of your multi-session VMs by using configurations from the Endpoint security blade.
- Oversee device configurations for multi-session VMs created in the public cloud
- Use important Microsoft 365 security features on session hosts.
- Allocate any application that’s configured to install in system context to multi-session VMs.
Multi-Session Device Configuration Limitations
As this feature is still fairly new, there are a few limitations.
- You can only deploy device-based policy configurations. You cannot deploy any user scope policies.
- All multi-session configurations have to be focused on Azure AD device groups.
- If you have any Intune device configuration policies that already exist, these will not be supported for the multi-session VMs.
- Currently, only device certificates are supported.
Configure Policies in Intune for Windows 10 Multi-Session
Make sure you’ve ticked off the prerequisites before you start creating Intune policies for AVD Windows 10 multi-session VMs.
- First, sign into your Microsoft endpoint portal with admin access
- Select Devices / Windows / Configuration Profiles / Create Profile
- From Platform options, select Windows 10 and later
- From Profile type, select Settings Catalog
- Click Create
- Enter the profile Name and Description, then click Next
- On the Configuration settings page, select Add settings.
- Under Settings picker, select Add filter and select the following options:
- Key: OS edition
- Operator: ==
- Value: Enterprise multi-session
- Select Apply. The filtered list now shows all configuration profile categories that support Windows 10 or Windows 11 Enterprise multi-session. You can see the scope for the policy in parentheses (Device or User). Currently, only device settings are supported for multi-session.
- From the filtered list, pick the categories that you want.
- For each category you pick, select the settings that you want to apply to your new configuration profile.
- For each setting, select the value that you want for this configuration profile.
- Select Next when you’re done adding settings.
You’ve now created an Intune device configuration profile for your multi-session VMs.
