By default all Windows Virtual Desktop session hosts are joined with your domain. And in most cases you will apply policy configurations to them via Group Policy Objects (GPO). If you also using Microsoft Endpoint Manager – Microsoft Intune for managing Windows 10 devices, it might also be worth considering to manage your WVD session hosts VMs with it as well.
The big advantage here is that you can apply your existing Windows 10 configurations (including application deployment) directly to the WVD session hosts, at least, if they are provisioned with a Windows 10 Enterprise single user image (multi-session not supported at this moment).
In this blog I will show you step-by-step how you can start with managing Windows Virtual Desktop session hosts with Microsoft Intune.
Requirements
- Azure tenant up-and-running, including Azure AD Connect. Make sure the WVD session host VMs are located in an AD OU that is synced with Azure AD.
- Windows Virtual Desktop environment up-and-running, including a Personal host pool type
- Microsoft Intune environment up-and-running, including enablement for Windows 10 device enrollment (Device Restrictions)
Limitations
- Only Windows 10 Enterprise – single-User version is supported at this moment (no Windows 10 multi-session)
- Only for use in a Personal WVD host pools
- “Domain Join” and “Wi-Fi” Intune Configuration profiles are not supported (but also not needed)
- The following Intune device actions are not supported/recommended; Autopilot reset, Bitlocker key rotation, Fresh Start, Remote lock, Reset password and Wipe.
My Environment
I have an on-premises domain with the primary UPN suffix “futureworkplace.it”. Azure AD Connect is configured and is syncing with Azure AD.
Microsoft Intune is fully configured, including; Device Compliance, Device Configuration profiles and Application deployments for Windows 10.
Windows Virtual Desktop is deployed with a Personal host pool type. The session host VMs are joined with the on-premises domain and are located in an Active Directory OU with “Block Inheritance” enabled on it.
In this blog
This blog will cover the following steps.
- Configure Hybrid Azure AD Join
- Check if WVD hosts are Azure AD joined
- Create a Automatic MDM enrollment policy
- Test the results
Step 1 : Configure Hybrid Azure AD Join
For the first step we need to make some changes in the Azure AD Connect configuration. Login to the server where Azure AD Connect is installed and configured.
Start Azure AD Connect and click Configure
Click Configure device options.
Click Next
Login with your Global Administrator account and click Next
Select Configure Hybrid Azure AD join and click Next
Enable Windows 10 or later domain-joined devices and click Next.
Select your Forest, select Azure Active Directory as Authentication Service and login with a local Enterprise Administrator account. Click Next.
Click Configure
Click Exit
Optionally you can enforce an Azure AD sync so you don’t have to wait for it.
Step 2 : Check if WVD hosts are Azure AD joined
Wait for the next Azure AD Connect sync or force a sync right away. After the sync is completed, login on a WVD session host VM. Open a command prompt or PowerShell in type in the following command;
dsregcmd /status
Make sure that AzureAdJoined is set to Yes
Also make sure that AzureAdPrt is set to Yes
If this is not the case, make sure the devices have been synced to Azure AD. Sometimes a reboot of the VM will also help.
As an alternative you can also check the status in Azure AD – Devices. Check the Join Type and the Registered status.
Step 3 : Create a Automatic MDM enrollment policy
To enable the automatic MDM enrollment, a policy settings needs to be set. Therefor open the Group Policy Management console.
On the OU that’s containing the WVD session host VMs create a new GPO (or edit an existing one). Give the GPO a name and click OK.
Navigate to Administrative Templates > Windows Components > MDM and open the Enable automatic MDM enrollment using default Azure credentials
Select Enabled and select Device Credential as Credential Type to use. Click OK.
Step 4 : Test the results
After the policy have been applied to the session host, the VM will be enrolled in Microsoft Intune.
As you can see the WVD session host is visible within the Microsoft Intune console.
Also all Device configurations have been applied to the VM.
Also mandatory / required applicates have been installed on the VM, including the custom Microsoft 365 Apps and some Windows 10 Store Apps.
The Company Portal app have been installed and also the Windows Update policy seems to be active as you can see in the Windows Update Notification.