Introduction

Select Start to continue.

Azure Virtual Desktop on Microsoft Azure is a desktop and app virtualization service that provides an efficient and flexible approach to desktop virtualization without compromising control. Azure Virtual Desktop works across devices and apps with full-featured experiences for Windows, iOS, Mac, Android – as well as a web-based experience (accessible from modern browsers).

There are a number of organizational benefits to using Azure Virtual Desktop, helping your organization:

• Simplify your virtual desktop and app deployment with a cloud-based service that’s always up to date.
• Securely access your desktops and apps from anywhere on any device.
• Scale quickly as your needs change with an Azure-native service that’s easy to manage.
• Optimize costs by only paying for what you use with a consumption-based pricing mode that allows you to leverage existing licenses.

There are 3 interactive demos to choose from:

• Deployment – choose from one of 3 deployment options for Azure Virtual Desktop ranging from a test deployment to a larger scale enterprise deployment.
• App Attach – learn how to dynamically attach applications from an application package to a user session in Azure Virtual Desktop
• Securing client access – configure Intune Mobile Application Management (MAM) Support for Windows App on iOS and Android

Choose one of the options to begin.

This interactive guide provides an instructional walkthrough of the 3 deployment options for Azure Virtual Desktop, namely:

• Quickstart – a fast and easy way to get up and running with AVD. Quickstart is great for test driving AVD to familiarize yourself with the product, but not recommended for production deployment.
• Creating a host pool – this is the standard deployment option and offers maximum flexibility when deciding on resource configuration, VM size and image, security and availability, etc.
• Azure Virtual Desktop Landing Zone Accelerator (LZA) – The LZA is a fully guided deployment experience to get you up and running with an enterprise-scale AVD deployment that fits your organization’s needs.

When you are ready to begin, select one of the 3 deployment options at left to navigate to the corresponding interactive guide.

In this interactive demo, you will use the Azure Virtual Desktop (AVD) Quickstart feature to set up Azure Virtual Desktop in minutes. Quickstart enables you to easily evaluate a Windows 11 Enterprise multi-session Azure Virtual Desktop deployment and become familiar with the service before deploying it in production.

When you use Quickstart, it deploys a small environment consisting of minimal resources and configuration. A user can then sign into Windows App and connect to a full virtual desktop session. Deployment takes approximately 20 minutes to complete.

In this exercise, you will briefly review the prerequisites for AVD quickstart deployment – then you will use Quickstart to deploy AVD for Contoso and review the resources created during deployment.

Note: For an Azure Virtual Desktop production deployment at scale, Enterprises should plan using information from Enterprise-scale support for Microsoft Azure Virtual Desktop. You can also review the deployment how-to guide on Microsoft Learn for more granular steps and options.

When you are ready to begin – select exercise 1 to continue.

In order to deploy AVD using Quickstart, you will need an account with the Contributor and User Access Administrator RBAC roles assigned (at a minimum) and available quota for Standard_D4ds_v4 VMs (the VM SKU deployed by Quickstart). For a complete list of prerequisites, including admin permissions and VM quota requirements, you can consult the AVD Quickstart prerequisites..

With those prerequisites satisfied, you only need to update an existing Azure subscription to register the Microsoft.DesktopVirtualization resource provider.

There are no additional license costs involved in deploying and using Azure Virtual Desktop—it can be used with your existing eligible Microsoft 365 or Windows per-user license. Your organization only pays for the Azure resources used by Azure Virtual Desktop.

There are a number of ways to optimize compute costs, including:

• Enabling multiple users to be logged into a single VM with multi-session capability.
• Scheduling breadth/depth load balancing across VMs to optimize utilization for your organization.
• Right-sizing virtual machines (VMs) and shutting them down when not in use.
• Buying one-year or three-year Azure Reserved Virtual Machine Instances to save you up to 72 percent versus pay-as-you-go pricing.

This guide is focused on the Quickstart experience and doesn’t go into depth on cost optimization. We will simply be updating your existing Azure Subscription to enable Azure Virtual Desktop deployment.

We’ll begin in the Azure Portal, logged in as admin@contoso.com. Under Azure Services, select Subscriptions.

On the Subscriptions page, select Contoso Azure Subscription.

On the Contoso Azure Subscription page, select Resource providers.

Click in the Filter by name field to type – then type or copy/paste Microsoft.Desktop and press Enter.

Select Microsoft.DesktopVirtualization and then click Register.

You have successfully registered the resource provider. You are now ready to begin deploying Azure Virtual Desktop.

Click anywhere on the screen to continue.

Select an exercise to continue.

In this exercise, you will be using the Quickstart feature to carry out a simple Azure Virtual Desktop deployment for evaluation purposes at Contoso prior to proceeding with a full Enterprise deployment. Once you've finished, a user will be able to sign in to a full virtual desktop session.

Beginning on the Azure Portal Home page, under Azure Services, select Azure Virtual Desktop.

On the Azure Virtual Desktop page, select Quickstart in the left navigation.

Locate the Get started quickly with Azure Virtual Desktop tile and select Create.

On the Basics tab, verify that the Contoso Azure Subscription is being used, then click to expand the Location menu and select West US.

Specify a local administrator account to be configured to the deployed VMs:

• User name: select the field to type, then type or copy/paste localadmin and press Enter.
• Password: select the field to type, then type or copy/paste password and press Enter.
• Confirm Password: select the field to type, then type or copy/paste password and press Enter.

Next to User Assignment, click on Select maximum two users.

Select Adele Vance and then select Allan Deyoung, then click Select.

Verify that Adele and Allan are now listed and select Next: Review and create.

Once validation has completed successfully, select Create to begin the deployment.

Azure Virtual Desktop deployment has succeeded.

Click anywhere on the screen to continue to the next exercise, where you will review some of the key resources that have been created.

Select an exercise to continue.

When the AVD Quickstart deployment completes successfully, it will have deployed a number of resources including:

• A resource group.
• A virtual network and subnet with the IPv4 address space 192.168.0.0/24 and uses Azure provided DNS servers.
• A network security group associated with the subnet of the virtual network with the default rules only. No inbound rules are required for Azure Virtual Desktop.
• A host pool with single sign-on (SSO) enabled.
• A session host running Windows 11 Enterprise multi-session with Microsoft 365 apps preinstalled in English (US). It's a Standard_D4ds_v4 size virtual machine (4 vCPUs, 16 GiB memory) configured with a standard SSD disk, and is joined to Microsoft Entra ID.
• An application group that publishes the full desktop from the session host.
• A workspace.

Begin by reviewing the Host pool.

Click to expand the Manage node in the left navigation and then select Host pools.

A host pool is a collection of Azure virtual machines that register to Azure Virtual Desktop as session hosts when you run the Azure Virtual Desktop agent. All session host virtual machines in a host pool should be sourced from the same image for a consistent user experience.

You control the resources published to users through application groups.

A host pool can be one of two types:

• Personal, where each session host is assigned to an individual user. Personal host pools provide dedicated desktops to end-users that optimize environments for performance and data separation.
• Pooled, where user sessions can be load balanced to any session host in the host pool. There can be multiple different users on a single session host at the same time. Pooled host pools provide a shared remote experience to end-users, which ensures lower costs and greater efficiency.

Quickstart creates a multi-session pooled environment to maximize efficiency for Contoso.

On the Host Pools page, select vdpool-avd-quickstart-2501132017 to view more detail on the host pool created by Quickstart.

Select Total Machines – 1 to continue to the Session Hosts page and review the virtual machine provisioned.

On the Session Hosts page, you can see the virtual machine that you provisioned is available and healthy.

Select Azure Virtual Desktop | Host pools in the navigation breadcrumb in the upper left to return to that page.

We’ll now review the application group associated with this host pool. An application group is a logical grouping of applications installed on session hosts in the host pool.

Select Application groups in the left navigation and then select vdag-avd-quickstart.

An application group can be one of two types:

• Desktop - where users access the full desktop. Available with pooled or personal host pools.
• RemoteApp - where users access the applications you individually select and publish to the application group. Available with pooled host pools only.

By default, Azure Virtual Desktop automatically creates a Desktop application group with the friendly name Default Desktop whenever you create a host pool and sets the host pool's preferred application group type to Desktop.

Select Manage in the left navigation and then select Applications to view more information on the applications users will see in their feed when assigned to this application group.

Quickstart adds the SessionDesktop to the application group by default.

In addition to the applications themselves – it is important to understand the users/groups who have been assigned to this application group.

Select Assignments in the left navigation of the Applications pane.

Currently – Adele Vance and Allan Deyoung have been assigned to the application pool. After you've assigned users to their application groups, they can connect to an Azure Virtual Desktop deployment with any of the supported Azure Virtual Desktop clients.

By selecting +Add, an administrator can add additional users and/or groups, allowing them access to the associated applications.

Having reviewed the apps and assignments for the application group – we’ll take a look at the Workspace. Select Workspaces in the left navigation of the Azure Virtual Desktop | Application groups page.

A workspace is a logical grouping of application groups in Azure Virtual Desktop. Each Azure Virtual Desktop application group must be associated with a workspace for users to see the desktops and applications published to them.

Select vdws-avd-quickstart to view more detail regarding the workspace created by Quickstart.

Select Manage in the left navigation to expand that node and then select Application groups.

You can now confirm that the Default Desktop application group (vdag-avd-quickstart) has been associated with this workspace.

You have successfully completed this exercise – Click anywhere on the screen to continue to the next exercise.

Select an exercise to continue.

With our Azure Virtual Desktop environment up and running, let’s review the employee experience. In this case, we will be reviewing Adele Vance’s (a Contoso employee) experience when accessing Azure Virtual Desktop via Windows App on their Windows 11 Laptop.

Note: Adele is currently licensed for Microsoft 365 E3 – which includes Windows 11 Enterprise and the M365 Apps.

Supported by all Windows 11 devices (as well as Windows, macOS, iOS and iPadOS, and web browsers), Windows App provides a direct path to your Cloud PC from the taskbar or start menu. Windows App enables employees to enjoy the full Windows 11 experience while moving between your local and Cloud PCs. With the app, you can use your Cloud PC as a window or full screen.

Windows App is designed with a customizable home screen to cater to your unique workflow needs. You can access Windows across multiple different services and remote PCs from a single place, and pin your favorites you access most. The app delivers high-performing and reliable experiences for Microsoft Teams and your other Microsoft 365 apps as well as other features to enhance your remote experience, such as:

• Multiple monitor support.
• Custom display resolutions.
• Dynamic display resolutions and scaling.
• Device redirection, such as webcams, audio, storage devices, and printers.
• Regular and automatic app updates mean you’re always using the most up-to-date version of Windows App.

In addition to Azure Virtual Desktop, Windows App securely connects you to Windows devices and apps on a device of your choice from:

• Windows 365 Cloud PC
• Microsoft Dev Box
• Remote Desktop Services
• Remote PC

Windows App is available on Windows, macOS, iOS and iPadOS, and web browsers. Windows App can also be downloaded and installed from the Microsoft Store.

Starting in the Windows App on Adele’s Windows 11 PC, select Sign in.

Select Adele Vance to sign in using Adele Vance’s credentials.

Review and click through the introductory content.

Once you have clicked through the first-run experience you will land on the Home screen of the Windows App, displaying any devices which Adele has chosen to pin to their home screen. As this is Adele’s first time using the app, they haven’t added any devices to their favorites yet.

Select Go to devices to view all of Adele’s devices.

Adele currently has access to Azure Virtual Desktop session host. Select the ‘…’ (three dots) management menu for Adele’s Azure Virtual Desktop to review the available capabilities and then select Favorite.

Once the Azure Virtual Desktop has been successfully added to Favorites, select Go to Favorites on the notification.

Close the Marked as Favorite notification and then select Connect to connect to Adele’s Azure Virtual Desktop session host.

Authenticate using Adele’s password - select the field to type and then type or copy/paste password and press Enter or click Sign in.

By default, using single sign-on requires the user to grant permission to connect to the session host, which lasts for 30 days before prompting again. In a production deployment, you can hide this dialog by configuring a list of trusted devices. For more information, see Configure single sign-on for Azure Virtual Desktop using Microsoft Entra ID.

To grant permission, at the prompt Allow remote desktop connection, select Yes.

Adele’s Azure Virtual Desktop is now open in full screen mode. Click on the Windows Start button to review the Microsoft 365 applications that have already been installed and are ready to use.

Congratulations – you have completed this exercise. Click anywhere on the screen to continue.

Select any exercise to review or select the home button on the toolbar to return to the main menu.

In this interactive demo, you will be deploying Azure Virtual Desktop (AVD) for Contoso by creating a new host pool using the Azure Portal. This approach to deploying AVD is documented in the Microsoft Learn Article entitled Deploy Azure Virtual Desktop.

Creating a new host pool is the default deployment option for AVD, and provides maximum flexibility when deciding on resource configuration, VM size and image, security and availability, etc.

When you create a host pool, you can choose one of two management approaches:

• Session host configuration (preview) - Available for pooled host pools with session hosts on Azure. Azure Virtual Desktop manages the lifecycle of session hosts in a pooled host pool for you by using a combination of native features to provide an integrated and dynamic experience.
• Standard management - Available for pooled and personal host pools with session hosts on Azure or Azure Local. You manage creating, updating, and scaling session hosts in a host pool.

In this scenario you are an administrator for Contoso, a small enterprise, deploying AVD with session host configuration to production in an existing Azure environment.

As such, you will be completing the following exercises:

• Create a new Azure Virtual Desktop host pool with session host configuration
• Grant access to employees
• Review the employee experience when signing in to an AVD VM for the first time.

When you are ready to begin, select Exercise 1.

Achieving consistency across session hosts to provide users with a shared and secure experience can be a challenge when managing host pools. The new session host configuration feature addresses this by allowing administrators to set specific parameters—such as virtual machine (VM) type, region, and image—that all session hosts within a pool will follow. Built-in parameter validation during configuration creation, such as verifying that the VM is available in the specified region, helps prevent errors and maintain uniformity across the host pool. By defining these properties up front, admins can streamline the deployment of session hosts, improve the end-user experience, and simplify troubleshooting.

Traditionally, updating session hosts has required custom automation, scripting, or other tools. The session host updating capability allows admins to modify the host pool’s session host configuration and roll out changes to existing hosts in batches, minimizing downtime. By scheduling updates and using test VMs for validation, administrators can smoothly implement changes without interrupting users. The batch update functionality will also roll back an update batch if errors are encountered, which reduces the risk of unhealthy session hosts after an update.

You have already taken care of the prerequisites for deployment of a new AVD host pool with session host configuration (detailed in this article) including the necessary role assignments, a key vault with required secrets (domain join and vm local admin credentials), and a managed domain to support Microsoft Entra hybrid join.

Starting in the Azure Portal, logged in as admin@contoso.com, select Azure Virtual Desktop under Azure Services.

On the Azure Virtual Desktop page, select the Create a host pool button.

On the Basics tab, expand the Subscription menu and select Contoso Azure Subscription.

Expand the Resource group menu and select rg-avd-usw1-prod-usw-service-objects.

Select the Host pool name field to type, then type or copy/paste vdpool-usw1-prod-usw-002 and press Enter.

Select West US as the location for this host pool.

In a larger enterprise deployment, it is highly recommended to deploy a host pool in the validation environment (which is the pre-release version of the service and agents), giving your organization an opportunity to test and validate functionality before it rolls out into production. We will assume for the purposes of this demo that Contoso has already set up a host pool in the validation environment and focus on deploying a new host pool in production – so leave Validation environment set to No and leave the ‘Preferred app group type’ set to Desktop.

Expand the Host pool type menu and select Pooled.

Note the two types available – Personal and Pooled. In a Personal host pool, single VMs are assigned to single users. In a Pooled host pool – a pool of VMs is assigned to a group of users and AVDs brokering decides which user is assigned to which machine at run time.

Select Yes to Create Session Host Configuration.

Expand the Load balancing algorithm menu and select Depth-first.

There are two choices available, breadth-first and depth-first. Breadth-first will seek to spread users evenly across all available VMs, whereas a depth-first model will fill up one machine (up to the max number of sessions allowed) before assigning users to another VM. We will choose depth-first as it is the model most often chosen in pay-as-you-go models and works in conjunction with AVD scaling logic

Select the Max session limit field to type, and then type or copy/paste 4 and press Enter.

It is generally a good idea to base the max session limit on the size of the VMs you are provisioning. A reasonable rule of thumb is no more than 4 users per core. We’ll be provisioning 2-core VMs and want employees to have good performance, so we’ll choose 4 to balance performance and cost.

Select Next: Session Hosts to continue.

Select the Number of session hosts field to type, then type or copy/paste 2 and press Enter.

You can choose to create the host pool without provisioning/assigning any VMs to it, and then go through that process at a later point in time using session host configuration. For this scenario, we are choosing to provision a set of VMs during host pool creation to streamline the process.

Expand the Resource group menu and select rg-avd-usw1-prod-usw-pool-compute.

Select the Name prefix field to type, then type or copy/paste vm-usw-002 and press Enter.

Every VM created will have this prefix. Contoso prefers to note the region in which hosts are deployed in the name prefix.

Leave the default settings for location, availability zones, security type, secure boot (enabled) and vTPM (enabled) – then expand the Image menu and select Windows 11 Enterprise multi-session, Version 23H2 + Microsoft 365 Apps.

Choosing see all images will take you to many additional options, including the ability to define custom images for VMs in your environment. For Contoso’s pooled host pool, this recent multi-session image with the M365 Apps meets their requirements so there is no need to define a custom image.

We are going to select the default 2-core option for virtual machine size. Note: by selecting change one can review the breadth of available options. One of the powerful aspects of AVD is the large number of available choices – suited to a wide range of compute and workload requirements.

Click anywhere on the screen to scroll down and view additional options.

Leave the default settings for OS disk type and size and set Boot diagnostics to Disabled.

Contoso will be using an existing vNet for this host pool.

Expand the Virtual network menu and select vnet-usw1-prod-usw-001.

Leave the network security group type set to basic and public inbound ports set to no (one great feature of Azure Virtual Desktop is that its reverse connect remoting model enables users to connect without requiring you to open any inbound ports).

Click anywhere on the screen to scroll down and view additional options.

Under ‘Domain to join,’ leave Select which directory you would like to join set to Active Directory. When deploying a host pool with session host configuration, joining session hosts to Microsoft Entra ID isn't supported, but you can use Microsoft Entra hybrid join or Active Directory join. Contoso is a cloud-only tenant – so you will be using Microsoft Entra hybrid join.

Select kv-sec-usw1-prod-usw-hr as the Key vault for AD domain join UPN.

Next to Secret for AD domain join UPN – expand the select a secret key from key vault menu and select domainJoinUserName.

Next to Secret for password – expand the select a secret key from key vault menu and select domainJoinUserPassword.

Select Yes to specify domain or unit.

Select the Domain to join field to type, then type or copy/paste entrads.contoso.com and press Enter.

Specify the virtual machine local administrator account credentials (stored in key vault):

• As the Key vault for username – select kv-sec-usw1-prod-uws-hr.
• As the Secret for username – select vmLocalUserName.
• As the Secret for password – select vmLocalUserPassword.

After specifying the local admin account, select Next: Workspace.

Select Yes to Register desktop app group.

Select Create new to create a new workspace and then specify ws-usw-prod-002 as the name and click OK.

Select Next: Advanced to continue.

Leave the default settings for diagnostic settings and select Next: Tags to continue.

We will not be specifying any tags in this exercise – select Next: Review and create.

After validation has passed you are ready to create the host pool – Click anywhere on the screen to scroll down and review the configuration, then select Create.

Congratulations! You have successfully deployed a new host pool with session host configuration.

The next step will be to ensure a group of users has access to the VMs.

Select Go to resource to continue with the interactive guide.

Congratulations on completing exercise 1.

Select exercise 2 to continue.

Azure Virtual Desktop’s host pool creation model enabled us to create a workspace and application group (and associate the application group with that workspace) during the provisioning process, so all that remains is to assign users to the application group.

Contoso has already created a group for west coast virtual desktop users named ‘AVD Users.’ Generally, it’s best practice to assign groups vs. individual users for efficiency and flexibility.

We will pick up where exercise 1 ended on the session-desktop-usw2 host pool page after provisioning has completed.

Under Applications - select Application groups – 1.

Select vdpool-usw1-prod-usw-002-DAG on the Application groups page

Note that there is one application (the session desktop we provisioned during host pool creation) and no assignments at present.

Select manage next to 0 Assignments.

On the Assignments page, click the Add button in the toolbar.

On the Select Microsoft Entra users or user groups panel, select the AVD Users group from the list of users + groups and then click Select.

The AVD Users group has now been assigned to the application group. Employees that are members of that group will now be able to access their Azure Virtual Desktop session desktop.

Click anywhere on the screen to continue to the next exercise, where you will review the experience for one of those employees.

Congratulations on completing exercise 2.

Select exercise 3 to review the employee experience accessing their AVD VM using Windows App.

With our Azure Virtual Desktop environment up and running, let’s review the employee experience. In this case, we will be reviewing Adele Vance’s (a Contoso employee) experience when accessing Azure Virtual Desktop via Windows App on their Windows 11 Laptop.

Windows App is your gateway to Azure Virtual Desktop, Windows 365, Microsoft Dev Box, Remote Desktop Services, and remote PCs, securely connecting you to Windows devices and apps.

You can use Windows App on many different types of devices on different platforms and form factors, such as desktops and laptops, tablets, smartphones, and through a web browser. When using a web browser on a desktop or laptop, you can connect without having to download and install any software.

Windows App is available for the following platforms:

• Windows
• MacOS
• iOS/iPadOS
• Android/Chrome OS (preview)
• Web browsers
• Meta Quest VR headset (preview)

Windows App is designed with a customizable home screen to cater to your unique workflow needs. You can access Windows across multiple different services and remote PCs from a single place, and pin your favorites you access most. And if you use multiple accounts, you can easily switch between them with our easy account switching feature. There are many features to enhance your remote experience, such as:

• Multiple monitor support
• Custom display resolutions
• Dynamic display resolutions and scaling
• Device redirection, such as webcams, audio, storage devices, and printers
• Microsoft Teams optimizations
• Sign in with multiple accounts and easily switch between them

Let’s review Adele’s experience when signing in to Windows App for the first time and accessing one of the session hosts you provisioned in this demo.

Starting in the Windows App on Adele’s Windows 11 PC, select Sign in.

Select Adele Vance to sign in using Adele Vance’s credentials.

Review and click through the introductory content.

Adele currently has access to 3 Azure Virtual Desktop session hosts.

Locate the rightmost AVD SessionDesktop (ws-usw-prod-003) - Select the ‘…’ (three dots) management menu and then select Favorite.

Once the Azure Virtual Desktop has been successfully added to Favorites, select Go to Favorites on the notification.

Close the Marked as Favorite notification and then Select the ‘…’ (three dots) management menu and then choose Settings to review the display options available for this VM.

When you are ready click the X to close the settings panel.

Select Connect to connect to Adele’s Azure Virtual Desktop session host.

Authenticate using Adele’s password - select the field to type and then type or copy/paste password and press Enter.

Then select Remember me and click OK.

Adele’s Azure Virtual Desktop is now open in full screen mode.

Click on the Windows Start button to review the Microsoft 365 applications that have already been installed and are ready to use.

Congratulations – you have completed this exercise.

Click anywhere on the screen to continue.

Congratulations on completing exercise 3.

Select any exercise to review, or you can select Home to return to the beginning of the Azure Virtual Desktop interactive demo.

In this interactive guide, you will be deploying Azure Virtual Desktop (AVD) for Contoso using the Microsoft Azure Virtual Desktop landing zone accelerator.

The Microsoft Azure Virtual Desktop landing zone accelerator provides a specific architectural approach and reference implementation for preparing landing zone subscriptions for an enterprise Azure Virtual Desktop deployment.

Its reference implementation adheres to the architecture and best practices of the Cloud Adoption Framework's Azure landing zones, focusing on enterprise-scale design principles. Although this implementation can be deployed in any Azure environment that complies with the prerequisites, the recommended approach is to first implement an enterprise-scale landing zone prior to deploying AVD. Typically, at Enterprise scale, this process would involve significant up-front planning and collaboration across IT disciplines. For the sake of this interactive guide – we will assume that Contoso has already deployed an Enterprise-scale Landing Zone (specifically the reference implementation for small enterprises with a hub-and-spoke network implementation) and focus purely on Azure Virtual Desktop deployment.

As such, you will be completing the following exercises:

• Ensuring the prerequisites are met to deploy an Azure Virtual Desktop using Azure Landing Zone Accelerator (LZA)
• Deploy Azure Virtual Desktop using Azure Landing Zone Accelerator (LZA)
• Review the employee experience when signing in to an AVD VM.

When you are ready to begin, select Exercise 1 to continue.

Prior to the deployment of Azure Virtual Desktop LZA Baseline, you need to ensure that the prerequisites (documented in the Baseline Deployment Guide for Azure Virtual Desktop) have been met. Contoso has already validated the Azure environment setup, account/access and networking requirements noted in the linked document and will be focusing on the Azure subscription requirements – specifically:

• Access to the Azure Virtual Desktop Azure subscription with owner permissions.
• The following resource providers must be registered in the subscription to be used for deployment:
  • Microsoft.DesktopVirtualization
  • Microsoft.Compute (When deploying Zero Trust match feature EncryptionAtHost will need to be registered)
  • Microsoft.Network
  • Microsoft.Storage

This exercise begins in the Microsoft Azure admin portal, logged in as admin@contoso.com.

In the Microsoft Azure admin portal, under Azure Services, select Microsoft Entra ID.

On the Microsoft Entra ID Contoso | Overview page, select Properties in the left navigation.

Locate the toggle switch under ‘Administrator (admin@contoso.com) can manage access to all Azure subscriptions and management groups in this tenant’ and set it to Yes.

Select Save to continue.

Select Home in the Home > Contoso navigation breadcrumb to return to the homepage of the Azure admin portal.

Under Resources, select Contoso Azure Subscription.

On the Contoso Azure Subscription page, select Settings in the left navigation to expand that node and then select Resource providers.

On the Resource providers page, select the Filter by name field to type or copy/paste Desktop and press Enter.

Select Microsoft.DesktopVirtualization and then click Register.

Now, select the Filter by name field to type or copy/paste Compute and press Enter.

Select Microsoft.Compute and click Register.

Now, select the Filter by name field to type or copy/paste Network and press Enter.

Select Microsoft.Network and click Register.

Select the Filter by name field to type or copy/paste Storage and press Enter.

Select Microsoft.Storage and click Register.

You have successfully registered all of the required resource providers to proceed with Azure Virtual Desktop deployment.

Click anywhere on the screen to continue.

Congratulations on completing exercise 1.

Select exercise 2 to continue.

Now that you deployed Enterprise-scale landing zones for Contoso and validated the Azure Virtual Desktop deployment pre-requisites - you are ready to deploy Azure Virtual Desktop using the Landing Zone Accelerator.

The Azure Virtual Desktop Landing Zone Accelerator includes an open-source collection of Azure Resource Manager and Bicep templates to help you quickly set up your Azure Virtual Desktop environment following best practices and Cloud Adoption Framework. This exercise will be using the Azure portal UI, but there is also a supported Bicep and Terraform option for each scenario. The accelerator creates an Azure Virtual Desktop environment - including virtual machines, virtual networks, and storage in Azure.

The Azure Virtual Desktop- LZA Baseline is available in the Azure Virtual Desktop accelerator GitHub repository and can be launched from direct links provided on that site. It can also be launched from the Azure Virtual Desktop Quickstart menu (which is the approach you will be taking in this demo).

Starting in the Microsoft Azure admin portal, logged in as admin@contoso.com, select Azure Virtual Desktop under Azure Services.

On the Azure Virtual Desktop page, select Quickstart in the left navigation.

On the Quickstart page, select Start.

Under ‘Start a project,’ locate the ‘Deliver virtual desktops and stream remote applications’ tile and click Start.

Select Create on the Landing Zone Accelerator tile to launch the Azure Virtual Desktop – LZA Baseline.

On the LZA page, select the check box to indicate that you have read and understood the AVD LZA deployment pre-requisites.

Click anywhere on the screen to scroll down to the Deployment specs section.

Specify the prefix for the AVD resources by selecting the Prefix field and typing or copy/pasting AVD1 then pressing Enter.

Expand the Environment menu and select Production, then select Next.

Note: customers would typically deploy to a test environment prior to rolling out to production. For the sake of this interactive demo, we are assuming that has already happened and are showing you the experience when choosing production.

On the identity tab, you will specify the identity service provider to be used when joining AVD session hosts to the domain.

In Contoso’s case, we’ll be joining our AVD VM session hosts directly to Microsoft Entra ID. Note – doing so does imply that we will need to use Microsoft Intune for policy management, which aligns with Contoso’s model.

To learn more about Microsoft Entra join for AVD, including prerequisites and tradeoffs with using Active Directory Domain Services or Entra Domain Services, consult this Microsoft documentation.

Contoso will be using Intune to manage its VM session hosts.

Select the checkbox next to Intune enrollment.

Select the Domain name field to type, then type or copy/paste contoso.com and press Enter.

Admin has already created a user group for AVD users. During LZA deployment, this group will be given access to necessary resources – including the ability to log in to virtual machine session hosts and the ability to access FSLogix shares (where roaming profile data is stored).

To select this group expand the Groups menu and then click anywhere on the screen to scroll down and select AVD Users.

Note: when choosing to use Entra join for AVD, you currently must be using hybrid identities in order to leverage FSLogix shares for roaming profiles. This is the case for Contoso.

Specify the credentials that will be used for the local admin account on provisioned VMs.

• Select the username field to type and type or copy/paste localadmin and press Enter.
• Select the password field to type and then type or copy/paste password and press Enter.
• Select the confirm password field and then type or copy/paste password and press Enter.

When you are done specifying the session host local admin credentials – select Next.

Review the options on the Management plane tab. Contoso wants to use pooled session hosts to enable multiple users to share a single VM, maximizing efficiency of resource utilization for the organization.

Leave the host pool type set to Pooled and set the load balancing algorithm to DepthFirst (breadth-first aims to evenly distribute new user sessions across the session hosts in the host pool whereas depth-first keeps starting new sessions on a single session host until the maximum session limit is reached).

When you’re done – select Next.

On the Session hosts tab under Region Settings, de-select Availability zones and VMSS Flex.

Leave the Session hosts region set to West US. Contoso’s employees are located in the Western US, so deploying session hosts in a nearby region helps to optimize performance.

Leave the default VM size selection and click to scroll down and review the remaining settings.

Select the VM count field, then type or copy/paste 2 and press Enter.

Set the OS Disk type to Standard.

Click to expand the OS Version menu and select Windows 11 24H2 - Office 365.

Verify the settings and then select Next.

On the Storage tab – note the default election to deploy FSLogix profile containers, which will be stored on Azure Files and allow user profile roaming while using pooled session hosts. To learn more, consult the MS Learn article on FSLogix profile containers and Azure files.

Contoso has determined they do not need the Premium tier for file share performance so click to expand the File share performance menu and select Standard.

App attach enables you to dynamically attach applications from an application package to a user session in Azure Virtual Desktop. Applications aren't installed locally on session hosts or images, enabling you to create fewer custom images for your session hosts, and reducing operational overhead and costs for your organization. Delivering applications with app attach also gives you greater control over which applications your users can access in a remote session by enabling you to assign apps to individual users and groups.

Contoso will be using App Attach storage for this deployment - select the checkbox to Create App Attach storage.

Set the App Attach File share performance to Standard.

When you are ready, select Next to continue to Networking settings.

Contoso will be deploying AVD to its own spoke vNet in the ‘Corp’ management group that was created during the Enterprise-scale LZ deployment. When specifying the vNet address range, we want to ensure that it does not overlap with the address range specified earlier for our hub vNet and that it will accommodate a sufficient number of addresses/endpoints.

Select the vNet address range field and type or copy/paste 10.200.0.0/16 and press Enter to continue.

Next, we’ll specify the Azure Virtual Desktop subnet address prefix within that address space. Select the AVD subnet prefix field and type or copy/paste 10.200.1.0/24 and press Enter.

Now specify the subnet address prefix for your private endpoint (Key vault and storage) subnet. Select the Private endpoint subnet address prefix field and type or copy/paste 10.200.2.0/24 and press Enter.

Select the option to Create new Azure private DNS zones for Azure files and Key vault.

Click anywhere on the screen to scroll down and review the settings - then select Next to continue.

Leave the Deploy monitoring setting checked and Log analytics workspace set to new - and select Next.

Leave Custom resource naming unselected and select Next.

Leave Create resource tags unselected and select Next.

Once the settings have been validated, click anywhere on the screen to scroll down and review the remaining settings, then select Create to deploy AVD Baseline for Contoso.

Congratulations – you have successfully deployed Azure Virtual Desktop and are ready to review the employee experience when logging into a pooled session host from their Windows PC.

Click anywhere to continue.

Congratulations on completing exercise 2.

Select exercise 3 to continue.

For this exercise, we will be reviewing Adele Vance’s experience when connecting to their Azure Virtual Desktop session host using the Windows App on their domain-joined Windows 11 PC.

Note: Adele is currently licensed for Microsoft 365 E3 – which includes Windows 11 Enterprise and the M365 Apps.

Supported by all Windows 11 devices (as well as Windows, macOS, iOS and iPadOS, Android, and web browsers) - Windows App provides a direct path to your Cloud PC from the taskbar or start menu. Windows App enables employees to enjoy the full Windows 11 experience while moving between your local and Cloud PCs. With the app, you can use your Cloud PC as a window or full screen.

Windows App is designed with a customizable home screen to cater to your unique workflow needs. You can access Windows across multiple different services and remote PCs from a single place, and pin your favorites you access most. The app delivers high-performing and reliable experiences for Microsoft Teams and your other Microsoft 365 apps as well as other features to enhance your remote experience.

In addition to Azure Virtual Desktop, Windows App securely connects you to Windows devices and apps on a device of your choice from:

• Windows 365 Cloud PC
• Microsoft Dev Box
• Remote Desktop Services
• Remote PC

Windows App is available on Windows, macOS, iOS and iPadOS, and web browsers. Windows App can also be downloaded and installed from the Microsoft Store.

Starting in the Windows App on Adele’s Windows 11 PC, select Sign in.

Select Adele Vance to sign in with their credentials.

Review and click through the introductory content.

Once you have clicked through the first-run experience you will land on the Favorites screen of the Windows App, displaying any devices which Adele has chosen to pin to their Favorites screen. As this is Adele’s first time using the app, they haven’t pinned any devices yet.

Select Go to devices to view all of Adele’s devices.

Adele currently has access to 1 Azure Virtual Desktop session host (as you can see from the indicator on the device tile). Select the ‘…’ (three dots) management menu for Adele’s Azure Virtual Desktop to review the available capabilities. The Windows App supports the ability to add this device to the favorites screen or access the settings menu - select Favorite.

Select Go to Favorites on the ‘Marked as Favorite’ notification and then close the notification.

Select Connect to connect to Adele’s Azure Virtual Desktop.

Select the password field and then type or copy/paste password and press Enter or click Sign in.

Select Yes to Allow the remote desktop connection.

Adele’s Azure Virtual Desktop is now open in full screen mode.

Click on the Windows Start button to review the Microsoft 365 applications that have already been installed and are ready to use.

Congratulations – you have completed this exercise.

Click anywhere on the screen to continue.

Congratulations on completing the interactive demo.

You can select Home to return to the beginning of the guide or select any exercise to revisit it.

Select Start to continue.

App attach enables you to dynamically attach applications from an application package to a user session in Azure Virtual Desktop. Applications aren't installed locally on session hosts or images, enabling you to create fewer custom images for your session hosts, and reducing operational overhead and costs for your organization. Delivering applications with app attach also gives you greater control over which applications your users can access in a remote session by enabling you to assign apps to individual users and groups..

This interactive demo shows you how to add and manage applications with app attach in Azure Virtual Desktop using the Azure portal.

When you are ready, select an exercise to begin.

App Attach supports several types of packages including MSIX, Appx, and recently App-V. Generally speaking, MSIX provides a superset of the capabilities provided by other package types and is the preferred type for app attach in Azure Virtual Desktop. MSIX is a Windows app package format that provides a modern packaging experience to all Windows apps, preserving the functionality of existing app packages and/or install files in addition to enabling new, modern packaging and deployment features to Win32, WPF, and Windows Forms apps.

For many apps, you can obtain MSIX packages directly from the software vendor. Alternatively, you can create an MSIX package from an existing installer. To learn more about MSIX, see What is MSIX?

In the case of Microsoft Teams, MSIX packages are available from Microsoft for x64, x86, and ARM64 architectures (see this site for download information). This exercise begins after having downloaded the x64 MSIX package and will walk you through generating a disk image from that package using msixmgr (available here) in Windows PowerShell, then uploading to Azure storage in preparation for creating the app attach package.

Before creating the app attach package for Microsoft Teams, you need to generate a disk image from the MSIX package. App attach supports Composite Image File System (CimFS), VHDX or VHD for disk images. We will be using CimFS, as it has significant advantages in terms of average mount/unmount time, memory consumption, and CPU utilization.

Begin by defining a variable for the path to the Microsoft Teams MSIX package you downloaded. Click on the PowerShell command line to simulate typing the following command:

$msixPath = "C:\MSIX Packages\Microsoft.Teams\MSTeams-x64.msix"

Now define a variable for the destination for the generated CimFS files. Click in the PowerShell window to type:

$cimPath = "C:\MSIX Packages\Microsoft.Teams\MSTeams-x64.cim"

Using msixmgr, generate the CimFS image. Click on the current command line to type:

.\msixmgr.exe -Unpack -packagePath $msixPath -destination $cimPath -applyACLs -create -fileType cim -rootDirectory apps

You have now successfully created the cim disk image. Let’s take a look at the files that were generated. Click on the current line in PowerShell to type:

Cd ‘C:\MSIX Packages\Microsoft.Teams\’

Now list the files in the directory, click to type:

dir

A CimFS image is a combination of several files: one file has the .cim file extension and contains metadata, together with at least two other files, one starting with objectid_ and the other starting with region_ that contain the actual application data. The files accompanying the .cim file don't have a file extension.

Click anywhere on the screen to switch to the Azure Portal to upload to a remote storage account accessible from your VMs.

Contoso will be storing the application images in Azure Files (though they could use other options like an SMB share). You are currently in the Microsoft Azure admin portal (logged in as admin@contoso.com) viewing Contoso’s storage account for app images in the US West region.

Select Storage browser in the left navigation.

Under stmsxavdpwoo in the navigation, select File shares.

Click on msix-pc-avd-prod-usw-001 in the list of file shares.

Click to open the Microsoft.Teams directory.

Select Upload.

On the Upload files panel, select Browse for files.

Select the checkbox next to the Name column to select all of the Teams disk image files, then select Open.

On the Upload files panel, select Overwrite if files already exist and then select Upload.

Your Microsoft Teams CimFS image has been successfully uploaded to Contoso’s storage account. You can now proceed to create the app attach package for Microsoft Teams.

Click anywhere on the screen to continue with the interactive demo.

Select an exercise to continue.

Now that you have uploaded your Microsoft Teams image to Azure Files, you are ready to create and assign the app attach package.

Starting in the Azure portal, logged in as admin@contoso.com, select Azure Virtual Desktop under Azure Services.

On the Azure Virtual Desktop page, in the left navigation, select Manage > App Attach.

Select Create to configure a new app attach package.

Click to expand the Resource group menu and choose avd_app_attach.

Select the host pool – click to expand the Host pool menu and choose vdpool-avd-prod-usw-001.

Leave the region set to West US and select Next.

Select the Azure storage account containing your Microsoft Teams image.

Click Select a storage account, then choose stmsxavdpwoo and click Select.

You can browse Azure Files directly to choose the cim image for Microsoft Teams - click Select a file.

Select the msix-pc-avd-prod-usw-001 file share and open the Microsoft.Teams directory.

Select the MSTeams-x64.cim file and click Select.

After AVD has extracted the information from the cim file – expand the MSIX package menu and select the 64-bit Teams MSIX package (note: the 8wekyb3d8bbwe suffix in the package name indicates that this package was signed by Microsoft).

Select the Display name field to type, then type or copy/paste Microsoft Teams and press Enter.

MSIX app attach mounts disk images containing your applications from a file share to a user's session during sign-in, then a registration process makes the applications available to the user. There are two types of registration:

• On-demand (default): applications are only partially registered at sign-in and the full registration of an application is postponed until the user starts the application.
• Register at logon: each application you assign to a user is fully registered asynchronously at logon.

For Microsoft Teams – choose Register at logon.

Set the application state to Active.

When the package is set to active the application is made available to assigned users. Packages set to inactive are ignored by Azure Virtual Desktop and not added when a user signs in.

Leave the Health check status on failure to ‘Needs assistance’ and select Next.

This setting will mark the session host as ‘needs assistance’ if something goes wrong with the app attach package. Marking as ‘unhealthy’ would prevent logon in the event of a failure, which is not Contoso’s desired behavior.

Contoso will be making Microsoft Teams available to all AVD users. Select Add users or groups and then choose the AVD Users group and click Select.

App attach allows you to assign to groups or individual users – providing full flexibility in managing access to apps.

Verify the assignment and then click Next.

We will not be using tags in this deployment, select Next.

Review the settings and then select Create.

You have successfully created the app attach package for Microsoft Teams! Let’s verify some details regarding the package.

On the Microsoft Teams app attach package page, under Settings, select Configuration.

All settings are as expected. Note that you could modify the initial settings and save those changes if required.

Now select Properties to review some additional details.

Review the full list of applications included in the package – select View all under Applications.

You can see that the Teams updater and Teams autostarter are also included in the package.

Select Close to close the Applications panel.

Select View all under Dependencies to review any relevant dependencies.

There are no dependencies for this package, which is a positive thing for deployment. Select Close to close the Dependencies panel.

You have now created and validated the Microsoft Teams app attach package. Click anywhere on the screen to continue with the interactive demo.

Select an exercise to continue.

While MSIX is the preferred technology for use with app attach for Azure Virtual Desktop, Microsoft Application Virtualization (App-V) is also a technology that enables applications to be delivered to virtual desktops without being locally installed. Although its use has somewhat declined with the rise of modern application deployment methods, App-V remains prevalent among large organizations and sectors with complex, legacy applications. App attach now allows you to directly bring those App-V applications over in the Azure portal, so you no longer have to wait until all of your applications are in MSIX before bringing those apps into app attach. In this exercise, you’ll be creating an app attach package using Contoso’s existing Notepad++ App-V package.

Starting in the Azure portal, logged in as admin@contoso.com, select Azure Virtual Desktop under Azure Services.

On the Azure Virtual Desktop page, in the left navigation, select Manage > App Attach.

Select Create to configure a new app attach package.

Click to expand the Resource group menu and choose avd_app_attach.

Select the host pool – click to expand the Host pool menu and choose vdpool-avd-prod-usw-001.

Leave the region set to West US and select Next.

Select the Azure storage account containing your Notepad++ image.

Click Select a storage account, then choose stmsxavdpwoo and click Select.

You can browse Azure Files directly to choose the appv image for Notepad++ - click Select a file.

Click to open the msix-pc-avd-prod-usw-001 file share.

Open the Notepad++ directory, then select Notepad++.appv and click Select.

After AVD has extracted the information from the appv file – expand the MSIX package menu and select the Notepad++ MSIX package.

Select the Display name field to type, then type or copy/paste Notepad++ and press Enter.

Leave On-demand as the Registration type. On-demand (default) applications are only partially registered at sign-in and the full registration of an application is postponed until the user starts the application.

Set the application state to Active. When the package is set to active the application is made available to assigned users. Packages set to inactive are ignored by Azure Virtual Desktop and not added when a user signs in.

Leave the Health check status on failure to ‘Needs assistance’ and select Next. This setting will mark the session host as ‘needs assistance’ if something goes wrong with the app attach package. Marking as ‘unhealthy’ would prevent logon in the event of a failure, which is not Contoso’s desired behavior.

Contoso will be making Notepad++ available to all AVD users.

Select Add users or groups and then choose the AVD Users group and click Select. App attach allows you to assign to groups or individual users – providing full flexibility in managing access to apps.

Verify the assignment and then click Next.

We will not be using tags in this deployment, select Next.

Review the settings and then select Create.

You have successfully created the app attach package for Notepad++!

Click anywhere on the screen to continue with the interactive demo.

Select an exercise to continue.

App attach enables you to seamlessly update your applications with no maintenance window needed. In this exercise, you will be updating the Windows Terminal Preview application to reflect a recent update.

Starting in the Azure portal, logged in as admin@contoso.com, select Azure Virtual Desktop under Azure Services.

On the Azure Virtual Desktop page, in the left navigation, select Manage > App Attach.

On the App attach page, select Windows Terminal Preview.

On the Windows Terminal Preview app attach package page, select Update.

On the Update app attach package page, expand the Host pool menu and select vdpool-avd-prod-usw-001.

Next to image path, choose Select from storage account.

Next to Storage account, click Select a storage account.

On the Select resources panel, choose stmsxavdpwoo and click Select.

Next to File share, choose Select a file.

Click to open the msix-pc-avd-prod-usw-001 file share.

Navigate to Microsoft.WindowsTerminal.Preview > 1.22.2912.0 and select the WindowsTerminalPreview cim file (the top file on the list), then click Select.

After AVD has extracted the information from the cim file – note the 64-bit Windows Terminal Preview MSIX package (note: the 8wekyb3d8bbwe suffix in the package name indicates that this package was signed by Microsoft) and select Update.

You have successfully updated the Windows Terminal Preview app attach package. Host pools will check on boot and every 5 minutes for application assignments, and updates will be managed seamlessly in the background. Users that are actively logged on and using a VM when the app update is initiated will be able to continue using the app (with the prior version). As users log on after the host pool picks up the update, they will receive the new version of the app. This seamless orchestration of app attach updates ensures that you can update (or roll back) your applications without disruption to the employees' experience and without the need to manage updates.

You have now completed the interactive demo – click anywhere on the screen to continue.

Congratulations on completing the interactive demo.

You can select Home in the toolbar to return to the beginning of the demo, or select any exercise you wish to review.

Microsoft recently announced that Windows App - your secure gateway to Windows environments across Windows 365, Azure Virtual Desktop, Microsoft Dev Box, and more - is now supported by Microsoft Intune Mobile Application Management (MAM) on both iOS and Android devices.

Microsoft Intune MAM enables administrators to manage and protect corporate data at the application level on both managed and unmanaged devices. This means you can secure your organization's data within applications without requiring full device enrollment, making it ideal for Bring Your Own Device (BYOD) scenarios.

With this announcement, Windows App joins a comprehensive ecosystem of applications supported by Intune MAM. For a more complete picture, you can refer to the official list of Microsoft Intune protected apps.

In this interactive demo – you will learn how to configure Intune MAM for Windows App on unmanaged iOS and iPadOS devices at Contoso.

When you are ready, select an exercise to continue.

As a first step, you will define a filter for unmanaged iOS/iPadOS devices. Intune allows you to define filters for devices enrolled in Intune (managed devices) or apps managed by Intune (managed apps). Filters enable you to assign a policy based on rules you create – narrowing the assignment based on criteria such as manufacturer, OS version, whether the device is personal or organization-owned, etc.

Starting in Microsoft Intune admin center, logged in as admin@contoso.com, select Devices in the left navigation.

Click to scroll down in the left navigation of the Devices | Overview page and select Filters.

On the Devices | Filters page, click Create then select Managed apps.

On the Create Filter page, click in the Filter Name field to type, then type or copy/paste Unmanaged iOS devices and press Enter.

Click to expand the Platform menu and select iOS/iPadOS - then click Next.

Use the rule builder to define a rule for unmanaged devices:

• Click to expand the Property menu and select deviceManagementType.
• Expand the Operator menu and select Equals.
• Expand the Value menu and select Unmanaged.
• Click in the Rule syntax field to generate the expression and then click Next.

Review the settings and then select Create.

You have successfully created a filter for unmanaged iOS and iPadOS devices and are ready to define an App Protection Policy for Windows App on these devices – select Apps in the left navigation of the Intune admin center to continue.

Select an exercise to continue.

Intune app protection policies (APP) are rules that ensure an organization's data remains safe or contained in a managed app. These policies allow you to control how data is accessed and shared by apps on mobile devices. A policy can be a rule that is enforced when the user attempts to access or move "corporate" data, or a set of actions that are prohibited or monitored when the user is inside the app.

On the Apps | Overview page navigation, under Policy, select App protection policies.

On the Apps | App protection policies page, click Create policy and then choose iOS/iPadOS.

On the Create Policy page, select the Name field to type and then type or copy/paste Unmanaged iOS / iPadOS App Protection Policy and press Enter.

Select the Description field to type and then type or copy/paste Requirements for unmanaged devices to access corporate resources and then press Enter.

Click Next to continue.

Select the app to target with this policy – click + Select public apps.

On the Select apps to target panel, click in the Search field to type, then type or copy/paste Windows and press Enter.

Choose Windows App and then click Select.

Verify that Windows App is now listed under Public apps and click Next.

This page provides settings for data loss prevention (DLP) controls, including cut/copy/paste, and save-as restrictions. These settings determine how users interact with data in the apps that this app protection policy applies. Click anywhere on the screen to scroll down and then block clipboard and third-party keyboard access:

• Expand the Restrict cut, copy and paste between other apps menu and then choose Blocked.
• Choose Block to prevent the use of third-party keyboards to mitigate against third parties accessing sensitive company data.

Select Next to continue to the Access requirements page.

The Access requirements page provides settings to allow you to configure the PIN and credential requirements that users must meet to access apps in a work context. Contoso will be using the default settings for iOS/iPadOS managed apps – select Next to continue.

The Conditional launch page provides settings to set the sign-in security requirements for your app protection policy:

• Under Device conditions, expand the Setting menu and choose Min OS Version.
• Select the Value field to type and then type or copy/paste 17.4.1 and press Enter.
• Expand the Action menu and choose Block access.

Configure the Maximum allowed device threat level:

• Expand the Setting menu and choose Max allowed device threat level.
• Expand the Value menu and select Secured.
• Expand the Action menu and choose Block access.

Specify the MTD service:

• Expand the Setting menu and choose Primary MTD Service.
• Expand the Value menu and select Microsoft Defender for Endpoint.

Select Next to continue.

The assignments page enables you to assign the app protection policy to groups of users. Under included groups – click Add groups.

On the Select groups to include panel, choose Contoso Engineering and then click Select.

To associate a filter with this assignment, select Edit filter in the Contoso Engineering row.

On the Filters panel, select Include filtered devices in assignment, then choose Unmanaged iOS devices and click Select.

Verify the assignment settings and click Next.

Click anywhere on the screen to scroll down and review your App Protection Policy settings, then click Create.

Congratulations, you have successfully created an App Protection Policy for unmanaged iOS/iPadOS devices at Contoso and assigned it to the Contoso Engineering group. Select App configuration policies to continue.

Select an exercise to continue.

Intune app configuration policies enable administrators to remotely customize and manage the settings of Windows App on iOS/iPadOS and Android devices, ensuring a consistent and secure user experience when accessing Windows environments. By deploying these policies, IT teams can pre-configure essential settings within Windows app—such as device, camera and clipboard redirection—without requiring manual setup on individual devices. This streamlines the deployment process, reduces the potential for user error, and ensures compliance with organizational policies.

On the App | App configuration policies page, select +Add and then choose Managed apps.

On the Create app configuration policy page, select the Name field to type, then type or copy/paste Unmanaged iOS / iPadOS redirections and press Enter.

Select the Description field to type, then type or copy/paste No drive and clipboard redirection on an unmanaged device and press Enter.

Next, click +Select public apps.

On the Select apps to target panel, click in the Search field to type, then type or copy/paste Windows and press Enter.

Choose Windows App and then click Select.

Verify the basic settings and select Next.

We will not be configuring settings from the settings catalog – select Next.

On the Settings page, click to expand General configuration settings.

Under General configuration settings, you can specify configuration settings for Windows App using the existing AVD RDP properties. Start with the drive redirection settings:

• Select the Name field to type, then type or copy/paste drivestoredirect and press Enter.
• Select the Value field to type, then type or copy/paste 0 and press Enter. A value of 0 corresponds to ‘disabled’ and will prohibit access to the local drive on iPadOS.

Specify the redirectclipboard setting:

• Select the Name field to type, then type or copy/paste redirectclipboard and press Enter.
• Select the Value field to type, then type or copy/paste 0 and press Enter. A value of 0 corresponds to ‘disabled’ and will prevent local clipboard access.

Verify the settings, then click Next to continue to the Assignments page.

The assignments page enables you to assign the app configuration policy to groups of users. Under included groups – click Add groups.

On the Select groups to include panel, choose Contoso Engineering and then click Select.

To associate a filter with this assignment, select Edit filter in the Contoso Engineering row.

On the Filters panel, select Include filtered devices in assignment, then choose Unmanaged iOS devices and click Select.

Verify the assignment settings and click Next.

Verify the app configuration policy settings and select Create.

You have successfully created and assigned an App Configuration policy. Select Endpoint security in the left navigation of the Intune admin center to continue to create a Conditional Access policy.

Select an exercise to continue.

In the Endpoint security | Overview left navigation under Manage, select Conditional access.

On the Conditional Access | Overview page navigation, select Policies.

Select New policy.

On the new Conditional Access policy page, select the Name field to type, then type or copy/paste AVD and W365 MAM enabled clients only and press Enter.

Specify which users the policy applies to - Select 0 users and groups selected and then, under Include, select All users.

Now, specify the target resources to protect. Select No target resources selected and then under Include, choose Select resources, and then under Select click None.

Your policy should target both Azure Virtual Desktop and Windows 365 Apps:

• On the Select panel, click in the Search field to type, then type or copy/paste Azure Virtual Desktop and press Enter.
• Select Azure Virtual Desktop from the search results.
• Click in the Search field again to type, then type or copy/paste Windows 365 and press Enter.
• Select the Windows 365 app and then click Select.

Under Conditions, click 0 conditions selected.

Under Device platforms, select Not configured.

Select iOS and Android:

• Set the Configure toggle to Yes.
• Under Include, choose Select device platforms.
• Select Android, then select iOS.
• Click Done.

Under Client apps, select Not configured

Select the client apps this policy will apply to:

• Set the Configure toggle to Yes.
• De-select Browser, Exchange ActiveSync, and Other clients.
• Click Done.

Specify MFA and App Protection Policies as requirements for access:

• Under Access controls > Grant, click 0 controls selected.
• On the Grant panel, select Require multifactor auth.
• Select Require app protection policy and then click Select.

Given that this is Contoso's initial test deployment - you'll be creating the policy in report-only mode.

Review your Conditional Access policy settings and then click Create.

Congratulations, you have completed the interactive demo. Click anywhere on the screen to continue.

Congratulations on completing the Intune Mobile Application Management (MAM) Support for Windows App on iOS and Android interactive demo.

You can choose any exercise to review or select the Home button to return to the beginning of the AVD Interactive Demo.