Skip to content


All About Application Management in Azure Virtual Desktop (AVD)

The purpose of a virtual desktop deployment is to provide users access to applications.  Application and data access is the reason to build a virtual desktop, like AVD, in the first place.  Therefore, installing, updating, and delivering applications to end users is a critical component of a desktop virtualization strategy. 

Azure Virtual Desktop host pools can be deployed as “personal” or “pooled”.  In single-session, personal environments, each user is permanently assigned a dedicated VM as their desktop.  In pooled environments, both single-session and multi-session, multiple users are connected to a “random” VM for the duration of their session and may be connected to a completely different VM the following day.  The methods of managing applications on personal desktops are very different than those used with pooled desktops.  Personal desktops (and Windows 365 Cloud PCs) behave exactly like a physical endpoint device and can be managed using traditional application delivery tools like Microsoft Endpoint Manager (SCCM and Intune).   

Pooled desktops provide several advantages over personal desktops such as cost efficiency and ability to standardize the IT environment.  However, they also come with unique application management challenges since most existing tools are built for a one-to-one user-to-desktop assignment, which is not the case with pooled desktops. 

In this article, we’ll focus on the strategies available to manage applications in pooled AVD deployments. 

The challenge with app management in pooled desktop environment can be boiled down to this – multiple users are sharing VMs, any installed app is available to all users. This “all or nothing” approach creates many challenges in situations where specific apps must be available to certain groups of users, but not to others.  How can we selectively assign applications to individual users or groups of users?   

Delivering apps to AVD users on pooled desktops requires two steps:

  1. Installing the application on either the image or session host VM
  2. Delivering the app to some or all users

Let’s take a look at the available options for each of these steps.


Installing applications in a pooled AVD environment can be accomplished in several ways. 

  1. Manual install on image 
  1. Scripted action install on image 
  1. Microsoft Endpoint Manager (MEM) install on image 
  1. Scripted action install on session hosts 
  1. MEM install on session hosts 

1. Manual Install On Image 

The easiest way to install applications is by loading each app on the base image VM one at a time.  Once all apps are installed, the image is “sealed” and can be used to build new session hosts or update existing ones.  All installed apps will be available to all users who connect to these session hosts. 

This method is easy to start with but becomes difficult and time consuming to maintain over time. 

2. Scripted Action Install On Image 

Script the installation of applications with Powershell, save these scripted actions in the Nerdio Manager Scripted Action library, and run the scripted actions on the image during creation or monthly patch cycle.  Once the updated image is deployed to session hosts, all users can access all apps. 

This method requires a bit of work to script the installation of each app but makes ongoing image and application updates easy and automated. 

3. MEM Install On Image 

Leverage existing MEM workflows to install and update applications on the base image.  Once all apps are installed, the image is “sealed” and can be used to build new session hosts or update existing ones.  All installed apps will be available to all users who connect to these session hosts. 

This method required some upfront work to get all applications imported and configured in MEM. 

4. Scripted Action Install On Session Hosts 

Instead of pre-installing application on the image, deploy apps to session host VMs with Nerdio Manager using scripted actions while the VMs are being created.  The latest base image can be pulled from the Azure Marketplace and all apps can be automatically installed during session host VM creation. 

This method required a bit of work to script installation of each app but makes ongoing host updates easy and automated.  All installed apps are available to all desktop users. 

5. MEM Install On Session Hosts 

Instead of pre-installing applications on the base image, deploy apps to session host VMs with MEM after the VMs are created.  The most recent image can be pulled from the Azure Marketplace and all apps will be automatically installed once the session host VMs are created. 

This method required some upfront work to get all applications imported and configured in MEM. 


Once applications are installed, they need to be delivered to users.  This is where the challenge of pooled desktops comes in.  Regardless of which of the 5 methods above was used to install the apps, once installed, all users will have access to all apps.  This may be OK in some scenarios but, often, this is not ideal. 

The following methods can be used to selectively deliver specific apps to specific users or groups. 

  1. Multiple images and host pools 
  1. RemoteApps 
  1. MSIX app attach 
  1. Nerdio’s Installed Apps Management 

1. Multiple Images and Host Pools 

Since all installed apps on the image are available to all users assigned to a host pool based on this image, one way to selectively assign groups of apps to groups of users is by creating and maintaining multiple desktop images, each associated with its own host pool.  Different groups of users are assigned to separate host pools that only have the apps that the users need. 

Although this method can achieve the objective of selective app assignment in a pooled desktop environment, it is difficult to manage at scale.  The number of images with unique configurations tends to be high and the effort required to maintain each individual image with its own set of apps is extremely time consuming. 

2. RemoteApps 

If users don’t need access to a full desktop, RemoteApps can be selectively published to individual users or groups.  Instead of launching a full desktop session, users will open individual apps published to them by the administrator. 

3. MSIX App Attach 

MSIX app attach is a relatively new technology available in AVD.  Administrators can assign individual MSIX apps to specific users or groups.  The application gets mounted when the user logs in and only entitled users can access the app.  One session host VM can have multiple connected users with different apps available in their sessions. 

MSIX app attach is great in concept and works well in practice.  However, today very few applications are available in the new MSIX format and converting existing apps to MSIX is a challenging and time-consuming process.  As a result, until the MSIX format becomes more widespread among software publishers, app attach is not very commonly used. 

4. Nerdio’s Installed Apps Management 

This is the most flexible and easy method to manage app assignment.  It leverages a technology built into FSLogix called “Application Masking”.  The concept is very simple: install a superset of apps on the image and use application masking to only reveal the apps an individual user need.  App masking doesn’t just hide the application shortcut, it makes all components of the app (e.g. files, registry entries, shortcuts, etc.) completely invisible to users who have no access.  There is nothing even a very sophisticated user can do to access an application that has been masked from them.  Unfortunately, with out-of-the-box FSLogix tools, implementing app masking is challenging and extremely complex.  It is difficult to initially configure and even more difficult to maintain at scale. 

This is where Nerdio’s Installed Apps Management feature comes in.  Nerdio Manager simplifies and automates the app masking configuration process down to 3 steps: 

  1. Discover installed apps 
  1. Create app-to-users assignment rules
  1. Apply rules to hosts 

Let’s look at each of these steps in more detail. 

1. Discover Installed Apps 

Whenever a new host pool is created or an existing host pool is re-imaged, Nerdio Manager will automatically discover all installed applications on the host pool and create an inventory.  This inventory of discovered apps will include all apps installed on the base image and directly on the session host VMs.  Each discovered application will have several “paths” associated with it.  These paths are locations of files and registry entries that belong to a specific application. 

2. Create App-to-Users Assignment Rules 

Once all apps are discovered, one or more rule sets can be created to define which apps are available to which users and groups.  By default, all installed apps are available to all users.  However, once an application is added to a rule set it can be made available to all users with exceptions (blacklist) or be made unavailable to all users with exceptions (whitelist). 

Apps-to-users assignment rules can be used for individual apps or groups of applications.  For example, there may be a rule set for Browsers that includes Microsoft Edge, Google Chrome, and Mozilla Firefox that is made available to all users except for certain group of task workers.  And there could also be a rule set for Accounting Apps that includes various accounting and finance applications that are available only to members of Accounting and Finance security groups. 

3. Apply Rules to Hosts 

Once apps are automatically discovered and rule sets are created, Nerdio Manager applies these rule sets to all existing hosts and all newly created VMs in the host pool.  The process of applying rule sets does not require a reboot of the VMs and can be done in production.  Within a few minutes, users will notice apps appear or disappear depending on rule set configuration. 

With these 3 simple steps, admins gain full control over users’ access to specific apps without creating and managing multiple images and host pools. 

Application management is a critical component of AVD administration strategy and Nerdio Manager provides a complete suite of tools to install applications via images and scripted actions and to deliver apps to specific users with RemoteApps, MSIX app attach, and Installed Apps management. 


Multi-Cloud and On-Premises Deployment with Azure Stack HCI (Coming Soon)

Deploy Azure Virtual Desktop in Azure and extend the session host VM placement to on-premises and other cloud using Azure Stack HCI. Nerdio Manager automates deployment of session hosts, AVD agent installation, and full integration into the AVD deployment in Azure.

Create a brand new Azure Virtual Desktop environment or allow Nerdio Manager to discover an existing deployment, connecting to existing resources, and manage them.

Deploy Nerdio Manager from Azure Marketplace and configure a new AVD environment with an easy to follow, step-by-step configuration wizard. First group of users can access their AVD desktop in less than 2 hours.

Service providers, system integrators, and consultants can leverage Nerdio Manager’s scripted AVD deployment template. Create complete environments with desktop images, host pools, and auto-scaling in minutes.

Create and manage AVD environments that span Azure regions and subscriptions. Quickly link Vnets and resource groups and manage AVD deployments world-wide from unified portal.

Link multiple Azure tenants under the same Nerdio Manager instance and manage AVD deployments that span Azure AD tenants. User identities and session host VMs can run in separate tenants for maximum flexibilty and security.

Deploy and manage AVD environments that span across sovereign Azure Clouds. Cross-sovereign cloud support allows identity (e.g. users and groups) to be in one Azure Cloud, while session host VMs are in another Azure Cloud.

Management of workspaces, host pools, app groups, RemoteApps & custom RDP settings

Administer every aspect of AVD with Nerdio Manager including workspaces, host pools, application groups, RemoteApp publishing, RDP properties, session time limits, FSLogix, and much, much more. Every Azure service that AVD relies on can be managed with Nerdio Manager.

Deploy and manage AVD session host VMs. Hosts can be created manually or with auto-scaling, deleted on-demand or on a schedule, re-imaged to apply updates, run a scripted action, resized, put into or taken out of drain mode, and more.

Manage user sessions across the entire AVD environment, within a workspace, host pool or on a single host. Monitor session status, disconnect or log off the user, shadow or remote control to provide support, or send user an on-screen message.

End users have the ability to log into Nerdio Manager with their Azure AD credentials and manage their own session, restart their desktop VM, or start a session host if none are started in a host pool. (Ability to resize and re-image own desktop is coming soon.)

Create, link, and manage Azure Files shares including AD domain join. Synchronize Azure Files permissions with host pools, configure quotas, and enable SMB multi-channel. Manage file lock handles and configure Azure Files auto-scaling to increase quota as needed.

Create, link, and manage Azure NetApp Files accounts, capacity pools and volumes. Configure provisioned volume size, monitor usage, and use auto-scaling to automatically adjust volume and capacity pool size to accommodate the needed capacity and latency requirements.

FSLogix configuration can be complex and overwheling, but not with Nerdio Manager. Create one or more FSLogix profiles with all the needed options, point at one or more Azure Files, Azure NetApp Files, or server locations and select from VHDLocations, CloudCache and Azure Blob storage modes.

Multiple identity source profiles can be set up and used automatically on different host pools. Active Directory, Azure AD DS, and Native Azure AD are all supported. Choose the appropriate directory profile when adding a host pool and all VMs will automatically join this directory when being created.

Create a copy of a host pool with all of its settings: auto-scale config, app groups and RemoteApps, MSIX AppAttach, user/group assignments, VM deployment settings, etc. Save time by creating host pool “templates” that can be cloned to any Workspace, Azure region or subscription instead of starting from scratch.

Apply user session time limits at host pool level. Automatically log off disconnected sessions, limit the duration of idle sessions, control empty RemoteApp session behavior and more.

Assign Azure AD users to personal desktops to ensure the user will log into a pre-configured VM. Un-assign personal desktops from users who leave the organization and re-use these VMs for new users.

Pre-configure custom Azure tags for all Azure resources associated with each host pool. Tags can be used for charge-back and cost allocation by host pool.

When creating session hosts using NV-series VMs NVIDIA and AMD GPU drivers are automatically installed.

Move existing host pools from Fall 2019 (Classic) object model to Spring 2020 (ARM) object model. Choose to whether to move or copy user assignments. Existing session hosts are automatically migrated or new ones can be created in the ARM host pool.

Automatically enable and configure AVD integration with Azure monitor. Zero configuration required. Azure Monitor Insights for AVD can be used instead of or in conjunction with Sepago Monitor.

AVD personal desktops to Windows 365 Cloud PC migration (Coming Soon)

Migrate users from AVD personal desktops to Windows 365 Enterprise Cloud PCs using an existing image and user assignment. (Coming soon)


Cloud PC License Usage Optimization (Coming Soon)

Cloud PC device lifecycle management

Cloud PC user group assignment

Intune primary user management on Cloud PCs

Migrate AVD personal desktops to Cloud PCs (Coming Soon)

Get Certified