Microsoft Intune is fast becoming the go-to solution for managing physical and virtual desktops in enterprises and SMB environments alike. This has been driven by the increased use of Azure Active Directory Join, people moving away from Active Directory, and the continued increase in functionality that Intune brings.
This blog post will examine what we can manage via Intune on an Azure Virtual Desktop (AVD) multi-session host and explore some use cases.
What is Microsoft Intune?
Microsoft Intune is a cloud-based SaaS service that enables you to manage your devices from a central management console. Using Microsoft Intune we can deploy device configurations, deploy and manage device settings, deploy and manage applications, manage security policies on our devices and much more.
Why Must We Adjust Multi-session Hosts for Intune?
As the title suggests, in this article we will discuss multi-session hosts only. When managing AVD multi-session hosts, we need to treat the hosts differently than single-session hosts due to how settings and applications are deployed. When managing single-session hosts, we can target settings and applications at the user and device context. When managing multi-session hosts, settings and applications mostly needs to be targeted at the device context, as we want anybody who logs onto those hosts to have consistent settings.
However, there are exceptions to this. Microsoft recently released the capability for user settings to be managed via Intune on Windows 10 & Windows 11 multi-session hosts. The user settings available to manage this way are:
- User Scope policy settings from the settings catalog
- User certificates
- PowerShell scripts to install in the user context.
Pre-requisites for Managing Multi-Session Hosts with Intune
Before we can manage Windows 10/11 multi-session hosts via Intune, we need to ensure they meet the minimum requirements as shown below.
- Session hosts must be Windows 10 multi-session 1903 or later or Windows 11 multi-session.
- If session hosts are 2004, 20H2 or 21H1 Builds, they need the July 2021 Windows Update installed.
- Azure Virtual Desktop Agent must be v1.0.2944.1400 or later.
- Hybrid or Azure AD Joined
- Intune license is required with user or device benefits.
- Azure Active Directory Domain Services (Azure AD DS) is NOT supported.
For a complete and up-to-date list, please see Microsoft’s documentation.
Intune Host Enrollment
The first step to getting our hosts into Intune is enrolling them. How we enroll them depends on whether they are Azure AD joined or hybrid joined. Azure AD joined means they are not joined to Active Directory; they are joined straight to Azure AD.
To manage this within Nerdio, we must ensure that the “Enroll with Intune” option is ticked on the Azure Active Directory configuration profile.
If our hosts are joined to Active Directory Domain Services (AD DS) and want to manage them via Intune, we can perform a “hybrid join”. A hybrid join “registers” the hosts against Intune so we can see and manage them via the Intune portal. A Group Policy setting needs to be configured to configure hybrid join, which tells the hosts to register themselves in Intune.
The Group Policy setting to configure is:
Computer Configuration > Administrative Templates > Windows Components > MDM > Enable automatic MDM enrollment using default Azure AD credentials.
Set the “Select Credential Type to Use” to Computer Credential.
Once the AVD multi-session hosts have registered themselves against Intune, you will see them appear in the Intune portal, which you can access at https://intune.microsoft.com/
Intune Policies and Scopes
Once we have our devices enrolled in the Intune portal, we need to configure device scopes so we can target configuration settings at the hosts. Anything you do within Intune you can filter and target by scope. The scope defines what types of targets we want to deploy settings and applications to. We can also target Azure AD groups also.
We must configure the relevant configuration profile to manage AVD multi-session hosts via Intune. To do that within the Intune portal, head to Devices à Windows à Configuration Profiles à Create Profile.
When you create the profile, under the configuration settings, we can add a filter targeting only multi-session hosts. In the example below, we are only deploying the settings to ‘Allow the Camera’ on Windows 10/11 multi-session hosts.
What Can Intune Manage on Azure Virtual Desktop Multi-Session Hosts?
OK, now we have our Windows 10/11 multi-session hosts registered in the Intune portal; what can we do with them? Well, the answer is lots! Below are a few examples what we can do:
Intune is gradually replacing Microsoft Endpoint Configuration Manager (SCCM or Systems Controls Configuration Manager for us oldies!) as the tool of choice for deploying applications in the enterprise. The benefit of Intune to manage your devices, is that it is a SaaS cloud-based service, so there are no servers to deploy into your environment. The backend configuration and updates are all handled by Microsoft.
However, you can if you want to integrate Intune into your existing MECM environment. We call this co-management. Please see this Microsoft article for more information.
Intune supports deploying multiple app types onto Windows 10/11 multi-session hosts, but the applications MUST be targeted in the device context, NOT the user context. Popular application types which are supported are .MSI, .IntuneWin, APP/MSIX. For a complete list please visit Microsoft’s documentation.
Applications must set to be ‘Required’ status when deploying rather than ‘Optional’ as all users on the hosts will need to have the application deployed.
Please note that deploying applications via MSIX App Attach or directly onto Master images is NOT supported via Intune at this time.
Security & Compliance
Intune can manage the security posture of your Windows 10/11 multi-session hosts via configuration policies and managing the Windows Security patching via Windows Update for Business.
Intune does have Security Baseline policies. However, these are NOT supported on Windows 10 or Windows 11 multi-session, so you must create your policy configuration settings.
Intune also has extensive compliance reporting capabilities included. This allows us to monitor the security posture of our AVD session hosts and ensure that they all meet minimum-security compliance requirements.
Using Microsoft Intune, we can monitor and manage Defender Policies directly from the Intune console. Using the console, we can check to ensure that all the hosts are updated and view information on any malware that is detected on our session hosts.
It is also possible to integrate Defender for Endpoint into Intune for advanced protection against threats.
You can integrate Windows Update for Business into Microsoft Intune to ensure that you can control the update settings on your AVD multi-session hosts.
Using Windows Update for Business ensures that we can control update rings and feature updates for AVD multi-session hosts from the Intune portal. We can also perform advanced compliance reporting which allows us to ensure our hosts are getting patched as they should.
Caveats to Managing Multi-Session Hosts with Intune
There are a few things that you need to be aware of when managing your session hosts via Intune.
Firstly, currently it is not supported to deploy applications onto your Master Images using Intune. It is possible with a workaround but is not supported by Microsoft. If you want to deploy applications, these must be deployed directly onto the session hosts.
Secondly, the time taken to deploy applications and settings can vary. Sometimes it can take only around 30 minutes, sometimes up to 24 hours. When deploying onto session hosts this needs to be closely monitored to ensure that users are not connecting to hosts without applications deployed.
We recommend you keep session hosts in Drain mode until you have confirmed that all configuration settings and applications have been deployed successfully.
Microsoft Intune is a great tool to centrally manage all your devices, which can include AVD multi-session hosts.
When used properly it can be a great asset to your toolset to enable you to manage and control your AVD session hosts to meet your minimum-security compliance requirements, and also control software and security updates being applied to your session hosts.