Intune – You can now enroll and manage Windows Virtual Desktop (preview)

By now, you already know that Intune/Endpoint Configuration Manager is the Microsoft solution for managing devices (either Windows, iOS or Android) by deploying configuration policies (configuration profiles), deploying applications to the devices or protect your corporate data with application protection policies.

You may already know the Windows Virtual Desktop, the Windows 10 multi session solution running on Azure to deliver remote access to applications while simplifying deployment and management of the remote desktop infrastructure.

Well, good news, you can now enroll and manage Windows Virtual Desktop with Intune/Endpoint Configuration Manager.

At this time, user scope policies are not supported, only device policies are.

Prerequisites

To be able to enroll and then manage WVD on Intune your Windows 10 multi session virtual machines must meet the following requirements:

  • running Windows 10 multi-session, version 1903 or later
  • Hybrid Azure AD-joined
  • Set up as remote desktops in pooled host pools in Azure
  • Running a Windows Virtual Desktop agent version of 2944.1400 or later
  • Enrolled in Microsoft Endpoint Manager using one of the following methods:
    • Configured with Active Directory group policy, set to use Device credentials, and set to automatically enroll devices that are Hybrid Azure AD-joined. For this preview, we only support enrollment via group policy if you’re using a single MDM provider
    • Configuration Manager co-management.

NOTE

There is a known issue with Windows 10 2004 and later causing remote actions in Endpoint Configuration Manager to not work properly. Without the workaround, it may take up to 8 hours for the policies to be applied.

As workaround, ensure the following registry key is present prior to enrolling the device (you will need to reboot the device)

  • Hive: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Server
  • Value name: ClientExperienceEnabled
  • Value type: REG_DWORD
  • Value data: 1

Setting up policies for Windows 10 multi session

As you may understand, not all settings may apply to a Windows 10 multi session.

When creating a configuration profile (Settings Catalog), you need to use the filter option to get the only settings applicable to Windows 10 multi session

  • Key: OS edition
  • Operator: ==
  • Value: Enterprise multi-session

image

Additional information

  • Windows Autopilot and Commercial OOBE aren’t supported
  • Enrollment status page isn’t supported
  • Remote actions
    • Autopilot reset
    • BitLocker key rotation
    • Fresh Start
    • Remote lock
    • Reset password
    • Wipe
  • Windows Update for Business is currently not supported
  • Application deployment
    • All apps must be configured to install in the system/device context
    • All apps must be configured with Required or Uninstall app assignment intent
    • Windows Virtual Desktop RemoteApp and MSIX app attach are not currently supported
  • The following compliance policies are supported on Windows 10 Enterprise multi-session
    • Minimum OS version
    • Maximum OS version
    • Valid operating system builds
    • Simple passwords
    • Password type
    • Minimum password length
    • Password Complexity
    • Password expiration (days)
    • Number of previous passwords to prevent reuse
    • Microsoft Defender Antimalware
    • Microsoft Defender Antimalware security intelligence up-to-date
    • Firewall
    • Antivirus
    • Antispyware
    • Real-time protection
    • Microsoft Defender Antimalware minimum version
    • Defender ATP Risk score