Welcome to this module on configuring user settings through group policy and endpoint manager policies.  In this module we will cover the following topics:

• Configuring Azure Virtual Desktop via Group Policy, including a walkthrough demo
• Configuring Azure Virtual Desktop via Endpoint Manager, including a walkthrough demo

Let’s start this module by looking at configuring AVD via Group Policy.  In order to allow Group Policy to be able to access Azure Virtual Desktop, you need to ensure your session hosts are either Active Directory Domain joined, or Hybrid joined.

You can then deploy group policies the same way you would in an on-premises environment, including being able to configure both computer configuration policies and user configuration policies.  Let’s do a demo configuration of a group policy for Azure Virtual Desktop.

Here we are logged into one of our Azure virtual machines that we are preparing as a golden image for our AVD deployment.  We need to navigate to the local group policy app from the Start menu.  As you can see here we have both Computer and User configuration.  

We will now browse to the Windows settings under Computer configuration, then Security settings then click on the Network List Manager Policies.  We have 4 options here, but we want to choose All networks.  This policy Is going to allow us to control permissions for if users can change the network name, location, or icon from within the session.  We are going to change each option so the user cannot change any of them and click on OK.

Let’s check out some additional settings we can configure via Group Policy.  This time, under computer configuration, let's select administrative templates and then expand network.  Here we have a whole host of settings we can configure, including Background Intelligent Transfer Service (BITS) and DirectAccess Client Experience Settings.  

Let’s select the BITS settings and again we have a whole list of settings we can configure.  For example, if we double click ‘Do not allow the computer to act as a BITS processing server’ if we enable this then the session hosts will no longer cache downloaded files and offer them to its peers.

Let’s now check out the network settings we can configure, specifically the ‘Prohibit use of Internet Connection Sharing on you DNS Domain network’.  By enabling this setting, ICS cannot be enabled or configured by an administrator and the service cannot be run on this session host. We have multiple policies we can configure but this very much depends on your organization’s requirements. Now we have looked at configuring Group policy for Azure Virtual Desktop, let’s look at configuring AVD via Endpoint Manager.

In order to allow Endpoint Manager to be able to access Azure Virtual Desktop, you need to ensure your session hosts are either Azure AD joined, or Hybrid joined.  However, there are some limitations, for example, it is not possible to deploy a configuration policy to configure Wi-Fi settings on a Windows 10 device.  Additionally, Autopilot reset is not currently supported with Endpoint Manager integration.  Another limitation example is that it is not currently possible to remotely wipe an Azure Virtual Desktop session host via Endpoint Manager. 

We will finish this module with a demo of configuring Azure Virtual Desktop via Endpoint Manager.

Here we are logged into the Endpoint Manager portal. Let’s navigate to our session host which is Azure AD enrolled which we can see if currently fully compliant and managed by Intune.  If we click on it we can see we have multiple options we can manage, but if we go back a step we can see the different types of policies and profiles we can configure, including Compliance policies, configuration profiles, and Windows 10 update rings.

If we go back into the device again, we can see the options that are support and not supported as they are greyed out, and if needed, we can obtain information from the left-hand side menu regarding device compliance and configuration.