Microsoft Intune is quickly becoming the go-to solution for managing physical and virtual desktops in enterprise and SMB environments alike. This has been driven by the increased use of Azure Active Directory Join, people moving away from Active Directory, and the continued increase in functionality. that brings Intune.
This blog post will look at what we can manage through Intune on an Azure Virtual Desktop (AVD) multi-session host and explore some use cases.
What is Microsoft Intune?
Microsoft Intune is a cloud-based SaaS service that lets you manage your devices from a central management console. With Microsoft Intune we can deploy device settings, deploy and manage device settings, deploy and manage apps, manage security policies on our devices, and much more.
(fuente What is Microsoft Intune | learn)
Why do we need to tune multi-session hosts for Intune?
As the title suggests, in this article we will only talk about multi-session hosts. When managing AVD multi-session hosts, we must treat hosts differently than single-session hosts due to how applications and configurations are implemented. By managing single sign-on hosts, we can target settings and applications to user and device context. When managing multi-session hosts, most applications and settings should be targeted to the device context, as we want anyone who logs into those hosts to have a consistent configuration.
However, there are exceptions to this. Microsoft recently released the ability to manage user settings through Intune on Windows 10 and Windows 11 multi-session hosts. The user settings available to manage in this way are:
- Configuring the configuration catalog user scope policy
- user certificates
- PowerShell scripts to install in the user's context.
Prerequisites for managing multi-session hosts with Intune
Before we can manage Windows 10/11 multi-session hosts through Intune, we need to make sure they meet the minimum requirements below.
- Session hosts must be Windows 10 multisesión 1903 or later Windows 11 multisesión.
- If the session hosts are builds 2004, 20H2, or 21H1, they need the Windows July 2021 Update installed.
- Azure Virtual Desktop Agent must be v1.0.2944.1400 or later.
- Hybrid or joined Azure AD
- An Intune license with user or device benefits is required.
- Azure Active Directory Domain Services (Azure AD DS) are NOT supported.
For a complete and up-to-date list, seeMicrosoft Documentation.
Intune host enrollment
The first step for our hosts to get into Intune is to enroll them. How we enroll them depends on whether they're Azure AD joined or hybrid joined. Azure AD joined means not joined to Active Directory; They are directly joined to Azure AD.
To manage this within Nerdio, we need to make sure the "Sign up for Intune" option is checked in the Azure Active Directory configuration profile.
If our hosts are joined to Active Directory Domain Services (AD DS) and we want to manage them through Intune, we can perform a "hybrid join". A hybrid join "registers" the hosts in Intune so that we can view and manage them through the Intune portal. A group policy setting must be configured to configure hybrid join, which instructs hosts to register with Intune.
The group policy settings to configure are:
Computer Configuration>Administrative Templates>Windows Components>MDM>Enable MDM auto-enrollment with default Azure AD credentials.
Set "Select credential type to use" to Computer credential.
After the AVD multi-session hosts have been registered with Intune, you'll see them appear in the Intune portal, which you can access at https://intune.microsoft.com/
Intune policies and scopes
Once we have our devices enrolled in the Intune portal, we need to configure device scopes so we can target configuration settings across hosts. Anything you do within Intune can be filtered and segmented by scope. The scope defines what types of targets we want to deploy configurations and apps to. We can also target Azure AD groups.
We must configure the corresponding configuration profile to manage AVD multi-session hosts through Intune. To do this within the Intune portal, go to Devices à Windows à Configuration profiles à Create profile.
When you create the profile, in the configuration settings, we can add a filter that targets only multi-session hosts. In the example below, we are only deploying the "Allow Camera" setting to Windows 10/11 multi-session hosts.
What can Intune manage on Azure Virtual Desktop multi-session hosts?
Good, now we have our Windows 10/11 multi-session hosts registered in the Intune portal; what we can do with them? Well, the answer is many! Here are some examples of what we can do:
Intune is gradually replacing Microsoft Endpoint Configuration Manager (SCCM or Systems Controls Configuration Manager to us oldies) as the preferred tool for deploying apps across the enterprise. The benefit of Intune for managing your devices is that it's a cloud-based SaaS service, so there are no servers to deploy in your environment. Backend configuration and updates are handled by Microsoft.
However, you can do this if you want to integrate Intune into your existing MECM environment. We call this co-management. please look at thismicrosoft articlefor more information.
Intune supports deploying various types of apps to Windows 10/11 multi-session hosts, but appsHAS TObe objective in the context of the device,NOthe context of the user. Popular application types supported are .MSI, .IntuneWin, APP/MSIX. For a full list, visitMicrosoft Documentation.
Applications should be set to a "Required" state at deployment time instead of "Optional" as all users on the hosts will need to have the application deployed.
Please note that deploying apps via MSIX App Attach or directly to master images is NOT supported via Intune at this time.
Security and Compliance
Intune can manage the security posture of your Windows 10/11 multi-session hosts through configuration policies and Windows security patch management through Windows Update for Business.
Intune has security baseline policies. However, these are NOT compatible with Windows 10 or Windows 11 multi-session, so you need to create your policy configuration settings.
Intune also includes extensive compliance reporting capabilities. This allows us to monitor the security posture of our AVD session hosts and ensure that they all meet minimum security compliance requirements.
Management of defenders
With Microsoft Intune, we can monitor and manage Defender policies directly from the Intune console. Using the console, we can verify that all hosts are up to date and see information about any malware that is detected on our session hosts.
Defender for Endpoint can also be integrated into Intune for advanced threat protection.
You can integrate Windows Update for Business with Microsoft Intune to ensure that you can control update settings on your AVD multi-session hosts.
Using Windows Update for Business ensures that we can control update rings and feature updates for AVD multi-session hosts from the Intune portal. We can also do advanced compliance reporting that allows us to ensure that our hosts receive the necessary patches.
Warnings for managing multi-session hosts with Intune
There are a few things to keep in mind when managing your session hosts through Intune.
First, deploying apps to your master images using Intune isn't currently supported. It's possible with a workaround, but Microsoft doesn't support it. If you want to deploy applications, they must be deployed directly to the session hosts.
Second, the time required to deploy applications and configurations can vary. Sometimes it can only take around 30 minutes, sometimes up to 24 hours. When implemented on session hosts, this should be closely monitored to ensure that users do not connect to hosts with no applications deployed.
We recommend that you keep the session hosts in Drain mode until you have confirmed that all configuration settings and applications have been successfully deployed.
Microsoft Intune is a great tool for centrally managing all your devices, which may include AVD multi-session hosts.
When used correctly, it can be a great asset to your suite of tools allowing you to manage and control your AVD session hosts to meet minimum security compliance requirements, as well as control software and security updates that are applied to your session hosts.