Deploy Azure Virtual Desktop
Important
Azure Virtual Desktop for Azure Stack HCI is currently in preview for Azure Government and Azure China. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
This article shows you how to deploy Azure Virtual Desktop on Azure or Azure Stack HCI by using the Azure portal, Azure CLI, or Azure PowerShell. To deploy Azure Virtual Desktop you:
- Create a host pool.
- Create a workspace.
- Create an application group.
- Create session host virtual machines.
- Enable diagnostics settings (optional).
- Assign users or groups to the application group for users to get access to desktops and applications.
You can do all these tasks in a single process when using the Azure portal, but you can also do them separately.
For more information on the terminology used in this article, see Azure Virtual Desktop terminology, and to learn about the service architecture and resilience of the Azure Virtual Desktop service, see Azure Virtual Desktop service architecture and resilience.
Tip
The process covered in this article is an in-depth and adaptable approach to deploying Azure Virtual Desktop. If you want to try Azure Virtual Desktop with a more simple approach to deploy a sample Windows 11 desktop in Azure Virtual Desktop, see Tutorial: Deploy a sample Azure Virtual Desktop infrastructure with a Windows 11 desktop or use the quickstart.
Prerequisites
Review the Prerequisites for Azure Virtual Desktop for a general idea of what's required and supported, such as operating systems (OS), virtual networks, and identity providers. It also includes a list of the supported Azure regions in which you can deploy host pools, workspaces, and application groups. This list of regions is where the metadata for the host pool can be stored. However, session hosts can be located in any Azure region, and on-premises with Azure Stack HCI. For more information about the types of data and locations, see Data locations for Azure Virtual Desktop.
Select the relevant tab for your scenario for more prerequisites.
In addition, you need:
The Azure account you use must be assigned the following built-in role-based access control (RBAC) roles as a minimum on a resource group or subscription to create the following resource types. If you want to assign the roles to a resource group, you need to create this first.
Resource type RBAC role Host pool, workspace, and application group Desktop Virtualization Contributor Session hosts (Azure) Virtual Machine Contributor Session hosts (Azure Stack HCI) Azure Stack HCI VM Contributor Alternatively you can assign the Contributor RBAC role to create all of these resource types.
For ongoing management of host pools, workspaces, and application groups, you can use more granular roles for each resource type. For more information, see Built-in Azure RBAC roles for Azure Virtual Desktop.
To assign users to the application group, you'll also need
Microsoft.Authorization/roleAssignments/write
permissions on the application group. Built-in RBAC roles that include this permission are User Access Administrator and Owner.Don't disable Windows Remote Management (WinRM) when creating session hosts using the Azure portal, as PowerShell DSC requires it.
To add session hosts on Azure Stack HCI, you'll also need:
An Azure Stack HCI cluster registered with Azure. Your Azure Stack HCI clusters need to be running a minimum of version 23H2. For more information, see Azure Stack HCI, version 23H2 deployment overview. Azure Arc virtual machine (VM) management is installed automatically.
A stable connection to Azure from your on-premises network.
At least one Windows OS image available on the cluster. For more information, see how to create VM images using Azure Marketplace images, use images in Azure Storage account, and use images in local share.
A logical network that you created on your Azure Stack HCI cluster. DHCP logical networks or static logical networks with automatic IP allocation are supported. For more information, see Create logical networks for Azure Stack HCI.
Create a host pool
To create a host pool, select the relevant tab for your scenario and follow the steps.
Here's how to create a host pool using the Azure portal.
Sign in to the Azure portal.
In the search bar, enter Azure Virtual Desktop and select the matching service entry.
Select Host pools, then select Create.
On the Basics tab, complete the following information:
Parameter Value/Description Subscription Select the subscription you want to create the host pool in from the drop-down list. Resource group Select an existing resource group or select Create new and enter a name. Host pool name Enter a name for the host pool, for example hp01. Location Select the Azure region where you want to create your host pool. Validation environment Select Yes to create a host pool that is used as a validation environment.
Select No (default) to create a host pool that isn't used as a validation environment.Preferred app group type Select the preferred application group type for this host pool from Desktop or RemoteApp. A Desktop application group is created automatically when using the Azure portal. Host pool type Select whether you want your host pool to be Personal or Pooled.
If you select Personal, a new option appears for Assignment type. Select either Automatic or Direct.
If you select Pooled, two new options appear for Load balancing algorithm and Max session limit.
- For Load balancing algorithm, choose either breadth-first or depth-first, based on your usage pattern.
- For Max session limit, enter the maximum number of users you want load-balanced to a single session host. For more information, see Host pool load balancing algorithmsTip
Once you've completed this tab, you can continue to optionally create session hosts, a workspace, register the default desktop application group from this host pool, and enable diagnostics settings by selecting Next: Virtual Machines. Alternatively, if you want to create and configure these separately, select Next: Review + create and go to step 9.
Optional: On the Virtual machines tab, if you want to add session hosts, expand one of the following sections and complete the information, depending on whether you want to create session hosts on Azure or Azure Stack HCI. For guidance on sizing session host virtual machines, see Session host virtual machine sizing guidelines.
To add session hosts on Azure, select to expand this section.
Parameter Value/Description Add virtual machines Select Yes. This shows several new options. Resource group This automatically defaults to the same resource group you chose your host pool to be in on the Basics tab, but you can also select an alternative. Name prefix Enter a name for your session hosts, for example hp01-sh.
This value is used as the prefix for your session hosts. Each session host has a suffix of a hyphen and then a sequential number added to the end, for example hp01-sh-0.
This name prefix can be a maximum of 11 characters and is used in the computer name in the operating system. The prefix and the suffix combined can be a maximum of 15 characters. Session host names must be unique.Virtual machine type Select Azure virtual machine. Virtual machine location Select the Azure region where you want to deploy your session hosts. This must be the same region that your virtual network is in. Availability options Select from availability zones, availability set, or No infrastructure redundancy required. If you select availability zones or availability set, complete the extra parameters that appear. Security type Select from Standard, Trusted launch virtual machines, or Confidential virtual machines.
- If you select Trusted launch virtual machines, options for secure boot and vTPM are automatically selected.
- If you select Confidential virtual machines, options for secure boot, vTPM, and integrity monitoring are automatically selected. You can't opt out of vTPM when using a confidential VM.Image Select the OS image you want to use from the list, or select See all images to see more, including any images you've created and stored as an Azure Compute Gallery shared image or a managed image. Virtual machine size Select a SKU. If you want to use different SKU, select Change size, then select from the list. Hibernate Check the box to enable hibernate. Hibernate is only available for personal host pools. For more information, see Hibernation in virtual machines. If you're using Teams media optimizations you should update the WebRTC redirector service to 1.45.2310.13001. FSLogix and app attach currently don't support hibernate. Don't enable hibernate if you're using FSLogix or app attach for your personal host pools. Number of VMs Enter the number of virtual machines you want to deploy. You can deploy up to 400 session hosts at this point if you wish (depending on your subscription quota), or you can add more later.
For more information, see Azure Virtual Desktop service limits and Virtual Machines limits.OS disk type Select the disk type to use for your session hosts. We recommend only Premium SSD is used for production workloads. OS disk size Select a size for the OS disk.
If you enable hibernate, ensure the OS disk is large enough to store the contents of the memory in addition to the OS and other applications.Confidential computing encryption If you're using a confidential VM, you must select the Confidential compute encryption check box to enable OS disk encryption.
This check box only appears if you selected Confidential virtual machines as your security type.Boot Diagnostics Select whether you want to enable boot diagnostics. Network and security Virtual network Select your virtual network. An option to select a subnet appears. Subnet Select a subnet from your virtual network. Network security group Select whether you want to use a network security group (NSG).
- None doesn't create a new NSG.
- Basic creates a new NSG for the VM NIC.
- Advanced enables you to select an existing NSG.
We recommend that you don't create an NSG here, but create an NSG on the subnet instead.Public inbound ports You can select a port to allow from the list. Azure Virtual Desktop doesn't require public inbound ports, so we recommend you select No. Domain to join Select which directory you would like to join Select from Microsoft Entra ID or Active Directory and complete the relevant parameters for the option you select. Virtual Machine Administrator account Username Enter a name to use as the local administrator account for the new session hosts. Password Enter a password for the local administrator account. Confirm password Reenter the password. Custom configuration Custom configuration script URL If you want to run a PowerShell script during deployment you can enter the URL here. To add session hosts on Azure Stack HCI, select to expand this section.
Parameter Value/Description Add virtual machines Select Yes. This shows several new options. Resource group This automatically defaults to the resource group you chose your host pool to be in on the Basics tab, but you can also select an alternative. Name prefix Enter a name for your session hosts, for example hp01-sh.
This value is used as the prefix for your session hosts. Each session host has a suffix of a hyphen and then a sequential number added to the end, for example hp01-sh-0.
This name prefix can be a maximum of 11 characters and is used in the computer name in the operating system. The prefix and the suffix combined can be a maximum of 15 characters. Session host names must be unique.Virtual machine type Select Azure Stack HCI virtual machine. Custom location Select the Azure Stack HCI cluster where you want to deploy your session hosts from the drop-down list. Images Select the OS image you want to use from the list, or select Manage VM images to manage the images available on the cluster you selected. Number of VMs Enter the number of virtual machines you want to deploy. You can add more later. Virtual processor count Enter the number of virtual processors you want to assign to each session host. This value isn't validated against the resources available in the cluster. Memory type Select Static for a fixed memory allocation, or Dynamic for a dynamic memory allocation. Memory (GB) Enter a number for the amount of memory in GB you want to assign to each session host. This value isn't validated against the resources available in the cluster. Maximum memory If you selected dynamic memory allocation, enter a number for the maximum amount of memory in GB you want your session host to be able to use. Minimum memory If you selected dynamic memory allocation, enter a number for the minimum amount of memory in GB you want your session host to be able to use. Network and security Network dropdown Select an existing network to connect each session to. Domain to join Select which directory you would like to join Active Directory is the only available option. AD domain join UPN Enter the User Principal Name (UPN) of an Active Directory user that has permission to join the session hosts to your domain. Password Enter the password for the Active Directory user. Specify domain or unit Select yes if you want to join session hosts to a specific domain or be placed in a specific organization unit (OU). If you select no, the suffix of the UPN will be used as the domain. Virtual Machine Administrator account Username Enter a name to use as the local administrator account for the new session hosts. Password Enter a password for the local administrator account. Confirm password Reenter the password. Once you've completed this tab, select Next: Workspace.
Optional: On the Workspace tab, if you want to create a workspace and register the default desktop application group from this host pool, complete the following information:
Parameter Value/Description Register desktop app group Select Yes. This registers the default desktop application group to the selected workspace. To this workspace Select an existing workspace from the list, or select Create new and enter a name, for example ws01. Once you've completed this tab, select Next: Advanced.
Optional: On the Advanced tab, if you want to enable diagnostics settings, complete the following information:
Parameter Value/Description Enable diagnostics settings Check the box. Choosing destination details to send logs to Select one of the following destinations:
- Send to Log Analytics workspace
- Archive to storage account
- Stream to an event hubOnce you've completed this tab, select Next: Tags.
Optional: On the Tags tab, you can enter any name/value pairs you need, then select Next: Review + create.
On the Review + create tab, ensure validation passes and review the information that is during deployment.
Select Create to create the host pool.
Once the host pool has been created, select Go to resource to go to the overview of your new host pool, then select Properties to view its properties.
Post deployment
If you also added session hosts to your host pool, there's some extra configuration you need to do, which is covered in the following sections.
Licensing
To ensure your session hosts have licenses applied correctly, you'll need to do the following tasks:
If you have the correct licenses to run Azure Virtual Desktop workloads, you can apply a Windows or Windows Server license to your session hosts as part of Azure Virtual Desktop and run them without paying for a separate license. This is automatically applied when creating session hosts with the Azure Virtual Desktop service, but you may have to apply the license separately if you create session hosts outside of Azure Virtual Desktop. For more information, see Apply a Windows license to session host virtual machines.
If your session hosts are running a Windows Server OS, you'll also need to issue them a Remote Desktop Services (RDS) Client Access License (CAL) from a Remote Desktop Licensing Server. For more information, see License your RDS deployment with client access licenses (CALs).
For session hosts on Azure Stack HCI, you must license and activate the virtual machines you use before you use them with Azure Virtual Desktop. For activating Windows 10 and Windows 11 Enterprise multi-session, and Windows Server 2022 Datacenter: Azure Edition, use Azure verification for VMs. For all other OS images (such as Windows 10 and Windows 11 Enterprise, and other editions of Windows Server), you should continue to use existing activation methods. For more information, see Activate Windows Server VMs on Azure Stack HCI.
Note
To ensure continued functionality with the latest security update, update your VMs on Azure Stack HCI to the latest cumulative update by June 17, 2024. This update is essential for VMs to continue using Azure benefits. For more information, see Azure verification for VMs.
Microsoft Entra joined session hosts
For session hosts on Azure that are joined to Microsoft Entra ID, you'll also need to enable single sign-on or legacy authentication protocols, assign an RBAC role to users, and review your multifactor authentication policies so they can sign in to the VMs.
For more information about using Microsoft Entra joined session hosts, see Microsoft Entra joined session hosts.
Note
If you created a host pool, workspace, and registered the default desktop application group from this host pool in the same process, go to the section Assign users to an application group and complete the rest of the article. A Desktop application group is created automatically when using the Azure portal, whichever application group type you set as the preferred.
If you created a host pool and workspace in the same process, but didn't register the default desktop application group from this host pool, go to the section Create an application group and complete the rest of the article.
If you didn't create a workspace, continue to the next section and complete the rest of the article.
Create a workspace
Next, to create a workspace, select the relevant tab for your scenario and follow the steps.
Here's how to create a workspace using the Azure portal.
From the Azure Virtual Desktop overview, select Workspaces, then select Create.
On the Basics tab, complete the following information:
Parameter Value/Description Subscription Select the subscription you want to create the workspace in from the drop-down list. Resource group Select an existing resource group or select Create new and enter a name. Workspace name Enter a name for the workspace, for example workspace01. Friendly name Optional: Enter a friendly name for the workspace. Description Optional: Enter a description for the workspace. Location Select the Azure region where you want to deploy your workspace. Tip
Once you've completed this tab, you can continue to optionally register an existing application group to this workspace, if you have one, and enable diagnostics settings by selecting Next: Application groups. Alternatively, if you want to create and configure these separately, select Review + create and go to step 9.
Optional: On the Application groups tab, if you want to register an existing application group to this workspace, complete the following information:
Parameter Value/Description Register application groups Select Yes, then select + Register application groups. In the new pane that opens, select the Add icon for the application group(s) you want to add, then select Select. Once you've completed this tab, select Next: Advanced.
Optional: On the Advanced tab, if you want to enable diagnostics settings, complete the following information:
Parameter Value/Description Enable diagnostics settings Check the box. Choosing destination details to send logs to Select one of the following destinations:
- Send to Log Analytics workspace
- Archive to storage account
- Stream to an event hubOnce you've completed this tab, select Next: Tags.
Optional: On the Tags tab, you can enter any name/value pairs you need, then select Next: Review + create.
On the Review + create tab, ensure validation passes and review the information that is used during deployment.
Select Create to create the workspace.
Once the workspace has been created, select Go to resource to go to the overview of your new workspace, then select Properties to view its properties.
Note
If you added an application group to this workspace, go to the section Assign users to an application group and complete the rest of the article.
If you didn't add an application group to this workspace, continue to the next section and complete the rest of the article.
Create an application group
To create an application group, select the relevant tab for your scenario and follow the steps.
Here's how to create an application group using the Azure portal.
From the Azure Virtual Desktop overview, select Application groups, then select Create.
On the Basics tab, complete the following information:
Parameter Value/Description Subscription Select the subscription you want to create the application group in from the drop-down list. Resource group Select an existing resource group or select Create new and enter a name. Host pool Select the host pool for the application group. Location Metadata is stored in the same location as the host pool. Application group type Select the application group type for the host pool you selected from Desktop or RemoteApp. Application group name Enter a name for the application group, for example Session Desktop. Tip
Once you've completed this tab, select Next: Review + create. You don't need to complete the other tabs to create an application group, but you'll need to create a workspace, add an application group to a workspace and assign users to the application group before users can access the resources.
If you created an application group for RemoteApp, you will also need to add applications to it. For more information, see Publish applications.
Optional: If you selected to create a RemoteApp application group, you can add applications to this application group. On the Application groups tab, select + Add applications, then select an application. For more information on the application parameters, see Publish applications with RemoteApp. At least one session host in the host pool must be powered on and available in Azure Virtual Desktop.
Once you've completed this tab, or if you're creating a desktop application group, select Next: Assignments.
Optional: On the Assignments tab, if you want to assign users or groups to this application group, select + Add Microsoft Entra users or user groups. In the new pane that opens, check the box next to the users or groups you want to add, then select Select.
Once you've completed this tab, select Next: Workspace.
Optional: On the Workspace tab, if you're creating a desktop application group, you can register the default desktop application group from the host pool you selected by completing the following information:
Parameter Value/Description Register application group Select Yes. This registers the default desktop application group to the selected workspace. Register application group Select an existing workspace from the list. Once you've completed this tab, select Next: Advanced.
Optional: If you want to enable diagnostics settings, on the Advanced tab, complete the following information:
Parameter Value/Description Enable diagnostics settings Check the box. Choosing destination details to send logs to Select one of the following destinations:
- Send to Log Analytics workspace
- Archive to storage account
- Stream to an event hubOnce you've completed this tab, select Next: Tags.
Optional: On the Tags tab, you can enter any name/value pairs you need, then select Next: Review + create.
On the Review + create tab, ensure validation passes and review the information that is used during deployment.
Select Create to create the application group.
Once the application group has been created, select Go to resource to go to the overview of your new application group, then select Properties to view its properties.
Note
If you created a desktop application group, assigned users or groups, and registered the default desktop application group to a workspace, your assigned users can connect to the desktop and you don't need to complete the rest of the article.
If you created a RemoteApp application group, added applications, and assigned users or groups, go to the section Add an application group to a workspace and complete the rest of the article.
If you didn't add applications, assign users or groups, or register the application group to a workspace continue to the next section and complete the rest of the article.
Add an application group to a workspace
Next, to add an application group to a workspace, select the relevant tab for your scenario and follow the steps.
Here's how to add an application group to a workspace using the Azure portal.
From the Azure Virtual Desktop overview, select Workspaces, then select the name of the workspace you want to assign an application group to.
From the workspace overview, select Application groups, then select + Add.
Select the plus icon (+) next to an application group from the list. Only application groups that aren't already assigned to a workspace are listed.
Select Select. The application group is added to the workspace.
Assign users to an application group
Finally, to assign users or user groups to an application group, select the relevant tab for your scenario and follow the steps. We recommend you assign user groups to application groups to make ongoing management simpler.
Here's how to assign users or user groups to an application group to a workspace using the Azure portal.
From the Azure Virtual Desktop overview, select Application groups.
Select the application group from the list.
From the application group overview, select Assignments.
Select + Add, then search for and select the user account or user group you want to assign to this application group.
Finish by selecting Select.
Next steps
Once you've deployed Azure Virtual Desktop, your users can connect. There are several platforms you can connect from, including from a web browser. For more information, see Remote Desktop clients for Azure Virtual Desktop and Connect to Azure Virtual Desktop with the Remote Desktop Web client.
Here are some extra tasks you might want to do:
Configure profile management with FSLogix. To learn more, see User profile management for Azure Virtual Desktop with FSLogix profile containers.
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for