// Host Pool Architecture
AVD Host Pool Types & Session Configuration
AVD is fully PaaS-brokered โ no Connection Server or Delivery Controller to manage. Host pools are collections of session hosts (Azure VMs) with a shared workspace and application groups.
๐ Pooled โ BreadthFirst
Distributes users across all session hosts equally. Every host gets sessions before any host is saturated. Best for: mixed workloads, ensuring host redundancy, baseline density.
Max sessions per host โ evenly distributed
๐ฆ Pooled โ DepthFirst
Fills each session host to max before moving to next. Best for: cost savings with autoscaling (fewer powered-on hosts needed), non-critical workloads where host density matters.
Fill host to max โ then start next host
๐ค Personal (Persistent)
1:1 user-to-VM assignment. VM persists all user data. No FSLogix required (local profile). Automatic or direct assignment. Best for: power users, developers, GPU workstations.
User always gets same VM
๐ฅ๏ธ Multi-Session (W10/11 EVD)
Windows 10/11 Enterprise Multi-Session โ unique to Azure. Multiple concurrent users on same Windows client OS. Lower licensing cost than RDSH Server. Supports modern desktop apps.
Windows 11 EVD 24H2 recommended
โ๏ธ Windows 365 (W365)
Cloud PC โ fully managed, per-user per-month pricing. No Azure subscription management. Fixed cost. Simplified management via Intune. Best for SMB or M365-centric orgs.
W365 Business / Enterprise ยท Fixed $/user/month
๐ Entra ID Join (2026 GA)
Session hosts joined to Entra ID (no AD required). Single Sign-On via Entra. Intune managed. Best for cloud-native orgs without on-prem AD. FSLogix works โ requires Azure Files + SMB RBAC.
No domain controller required
AVD Architecture Overview
| Component | Azure Service | Description | Admin Control |
|---|---|---|---|
| Control Plane (Broker) | AVD Service (Microsoft-managed) | Session routing, authentication, app group management. SLA: 99.9% uptime. | Config only โ no infrastructure |
| Session Hosts | Azure VMs (you manage) | Windows 10/11 EVD or Server. D-series (Dsv5 recommended), NV-series for GPU. | Full control โ SKU, patch, image |
| Profile Storage | Azure Files Premium / ANF | FSLogix VHDLocations or CCDLocations. Must be Private Endpoint for performance. | Storage account + share config |
| Identity | Entra ID + AD DS (or Entra-only) | Hybrid: Entra ID + AD DS (AADDS or on-prem AD). Cloud-native: Entra ID join only. | Identity strategy determines design |
| Connectivity | AVD Gateway + RDP Shortpath | AVD Gateway handles external access. RDP Shortpath = direct UDP path for LAN/VPN users. | NSG + Conditional Access |
// Image Management Pipeline
AVD Image Pipeline โ AIB + Azure Compute Gallery
Azure Image Builder (AIB) + Azure Compute Gallery (ACG, formerly Shared Image Gallery) is the production-grade AVD image pipeline. No more manual gold image maintenance.
AIB Pipeline โ Key Steps
01
Base Image Source
Azure Marketplace: Windows 11 Enterprise Multi-Session + M365 Apps (recommended for most). Or bring your own custom VHD.
02
AIB Template (JSON/Bicep)
Define customization steps: install FSLogix, WinGet apps, Choco packages, PowerShell scripts, Windows Updates, sysprep. Triggered via Azure DevOps or GitHub Actions.
03
Build & Generalize
AIB builds in temporary resource group. Runs all scripts, installs, updates. Runs sysprep + generalizes. Build time: 20โ60 min depending on apps.
04
Publish to ACG
Image stored as versioned definition in Azure Compute Gallery. Replicated to multiple regions. Host pool references ACG image definition (not specific version) for rolling updates.
05
Host Pool Update
Update host pool to use new ACG image version. New VMs provision from new image. Drain existing hosts at next maintenance window. Rolling update: zero downtime.
AIB Template (Bicep Snippet)
# Azure Image Builder โ key config sections
# Full template: learn.microsoft.com/azure/virtual-machines/linux/image-builder
resource imageTemplate 'Microsoft.VirtualMachineImages/imageTemplates@2022-02-14' = {
name: 'avd-win11-m365-$(date)'
properties: {
source: {
type: 'PlatformImage'
publisher: 'MicrosoftWindowsDesktop'
offer: 'windows-11'
sku: 'win11-24h2-avd-m365'
version: 'latest'
}
customize: [
{
type: 'PowerShell'
name: 'InstallFSLogix'
scriptUri: 'https://stg.blob.core.windows.net/scripts/Install-FSLogix.ps1'
}
{
type: 'WindowsUpdate'
searchCriteria: 'IsInstalled=0'
filters: ['exclude:$_.Title -like "*Preview*"']
}
{
type: 'PowerShell'
name: 'AVD-Optimize'
inline: ['C:\\AVDImage\\Virtual-Desktop-Optimization-Tool\\Win11_VirtualDesktop_Optimize.ps1 -Optimizations All']
}
]
distribute: [{
type: 'SharedImage'
galleryImageId: acg.id
runOutputName: 'avd-image-$(date)'
}]
}
}Image Best Practices: Always include the Virtual Desktop Optimization Tool (VDOT) in your AIB pipeline โ it disables 60+ services and scheduled tasks that are irrelevant in VDI. Install FSLogix in the image (not via Intune extension) for faster first-logon. Install M365 Apps with shared computer activation config.
// FSLogix on AVD
FSLogix on Azure Files Premium โ The Right Way
Azure Files Premium (SMB) is the recommended profile storage for AVD. Do not use Standard (HDD) tier โ IOPS are insufficient. Always use Private Endpoint โ public access over the internet to profile shares is unacceptable.
| Storage Option | Tier | Max IOPS | Use Case | Recommendation |
|---|---|---|---|---|
| Azure Files Premium | SSD (FileStorage) | 100,000 IOPS (1 TiB) | FSLogix profile containers, ODFC, MSIX | Recommended |
| Azure Files Standard | HDD (StorageV2) | 1,000โ3,000 IOPS | Dev/test only | Avoid for prod |
| Azure NetApp Files (ANF) | Ultra/Premium NFS/SMB | 450,000+ IOPS | Large scale (>5,000 users), low latency | Large scale |
| Azure Files Premium (Cloud Cache) | SSD ร 2 regions | 100k IOPS ร 2 providers | HA/DR across Azure regions | HA/DR required |
Azure Files Premium โ Setup
# 1. Create Storage Account (FileStorage tier):
az storage account create \
--name stfslogixprod \
--resource-group rg-avd-prod \
--sku Premium_LRS \
--kind FileStorage \
--https-only true \
--allow-shared-key-access true
# 2. Create file share (min 1 TiB for 100k IOPS):
az storage share-rm create \
--storage-account stfslogixprod \
--name profiles \
--quota 1024 # 1 TiB = 100k IOPS
# 3. Private Endpoint (REQUIRED):
az network private-endpoint create \
--name pe-fslogix \
--resource-group rg-avd-prod \
--vnet-name vnet-avd \
--subnet subnet-pe \
--private-connection-resource-id [storage-id] \
--group-id file
# 4. RBAC for Session Hosts (Entra ID join):
# Assign: Storage File Data SMB Share Contributor
# To: Session host VMs managed identityFSLogix GPO / Registry for AVD
# FSLogix settings for AVD Multi-Session
# Deploy via Intune Configuration Profile or GPO
# HKLM\SOFTWARE\FSLogix\Profiles
Enabled = 1
VHDLocations = \\stfslogixprod.file.core.windows.net\profiles
# OR for Cloud Cache (HA/DR):
CCDLocations = type=smb,name="EastUS",connectionString=\\stor1.file.core.windows.net\profiles;type=smb,name="WestUS",connectionString=\\stor2.file.core.windows.net\profiles-dr
VolumeType = VHDX
SizeInMBs = 30720 # 30 GB
DeleteLocalProfileWhenVHDShouldApply = 1
FlipFlopProfileDirectoryName = 1
PreventLoginWithTempProfile = 1
PreventLoginWithFailure = 1
ClearCacheOnLogoff = 1 # Cloud Cache only
# Entra ID join RBAC (instead of AD perms):
# Storage File Data SMB Share Contributor = session hosts
# Storage File Data SMB Share Elevated Contributor = adminsโ Common AVD FSLogix Mistake: Using Azure Files Standard tier โ profile mounts during logon storm (100+ users logging in 8โ9 AM) will queue and time out. Standard tier maxes at 1,000โ3,000 IOPS. A 200-user pool needs 2,000+ IOPS at logon storm. Always Premium. Always Private Endpoint. Size at minimum 1 TiB (100k IOPS).
// MSIX App Attach
MSIX App Attach โ Strict Mode & Best Practices
MSIX App Attach delivers applications as VHD/VHDX images mounted at logon. 2026 introduces Strict Mode for enhanced security. Replaces traditional app layering for most use cases.
MSIX App Attach โ How It Works
- 1.Package application as MSIX (using MSIX Packaging Tool)
- 2.Expand into VHD/VHDX container using
msixmgr.exe - 3.Upload to Azure Files share (same as FSLogix or dedicated share)
- 4.Register in AVD portal: App Packages โ Add Package
- 5.Assign to Application Group and App Group users
- 6.At logon: VHD mounted, app registered in session, visible in Start Menu
Strict Mode (2026): Packages must be signed by a trusted CA. Unsigned packages rejected. Prevents malicious package injection. Enable via: App Packages โ Settings โ Enforce strict package signing.
MSIX Packaging Command Reference
# Convert MSIX to VHD container:
msixmgr.exe -Unpack `
-packagePath "C:\Apps\MyApp.msix" `
-destination "\\storage\msix\MyApp.vhd" `
-applyACLs -create -vhdSize 500 `
-filetype VHD
# Or VHDX (recommended โ resizable):
msixmgr.exe -Unpack `
-packagePath "C:\Apps\MyApp.msix" `
-destination "\\storage\msix\MyApp.vhdx" `
-applyACLs -create -vhdSize 500 `
-filetype VHDX
# Sign MSIX package (Strict Mode requirement):
# Using code signing cert:
SignTool sign /fd SHA256 `
/a /f "cert.pfx" /p "password" `
"C:\Apps\MyApp.msix"
# Validate MSIX:
Add-AppxPackage -Path "C:\Apps\MyApp.msix" -Stage// Networking & RDP Shortpath
AVD Networking โ RDP Shortpath, Gateway & Private Endpoints
RDP Shortpath (Managed)
Direct UDP path from client to session host. Bypasses AVD Gateway relay. Requires: client on same network as session hosts (corpnet or Express Route). Best for on-prem users accessing AVD.
UDP 8443 or 10000-65535 range (configurable)
RDP Shortpath (Public)
STUN/TURN-based UDP path for public internet clients. Uses NAT traversal. Requires: enable in host pool config + NSG allow. Lower latency than gateway relay for remote users.
STUN: 20.202.0.0/16 UDP 3478 outbound from client
AVD Gateway (Fallback)
All traffic relayed through Microsoft's AVD Gateway. Fully redundant, no infrastructure required. Used when RDP Shortpath unavailable. TCP 443 only. Always works, higher latency.
TCP 443 outbound from client โ *.wvd.microsoft.com
| NSG Rule | Direction | Port/Protocol | Source/Destination | Purpose |
|---|---|---|---|---|
| AllowAVDGateway | Outbound | TCP 443 | VMs โ WindowsVirtualDesktop service tag | AVD control plane communication |
| AllowRDPShortpath | Inbound | UDP 8443 | VirtualNetwork โ VMs | RDP Shortpath managed networks |
| AllowFSLogix | Outbound | TCP 445 | VMs โ Storage PE subnet | SMB to Azure Files (Private Endpoint) |
| AllowKMS | Outbound | TCP 1688 | VMs โ Internet (azkms.core.windows.net) | Windows KMS activation |
| AllowMonitoring | Outbound | TCP 443 | VMs โ AzureMonitor service tag | Log Analytics / Diagnostics |
| AllowIntune | Outbound | TCP 443 | VMs โ *.manage.microsoft.com | Intune MDM (Entra ID join) |
// Autoscaling
AVD Autoscaling โ Scaling Plans & Cost Management
AVD native autoscaling (Scaling Plans) powers down session hosts when idle and provisions them on demand. Critical for cost management โ idle VMs are the #1 waste in AVD deployments.
Scaling Plan Configuration
# AVD Scaling Plan โ key settings
# Portal: Azure Virtual Desktop > Scaling Plans
# Ramp-up (7-9 AM):
RampUpStartTime = 07:00
RampUpLoadThreshold = 60% # Start new VMs if >60% sessions
RampUpMinimumHosts = 3 # Always keep 3 hosts on
RampUpCapacityThreshold = 80% # Max before adding more
# Peak hours (9 AM - 5 PM):
PeakStartTime = 09:00
PeakLoadThreshold = 80% # Trigger point for scale-out
PeakMinimumHosts = 5 # Minimum during peak
# Ramp-down (5-8 PM):
RampDownStartTime = 17:00
RampDownForceLogOff = true # Send disconnect message
RampDownWaitTime = 30 min # Grace before shutdown
RampDownMinimumHosts = 2 # Keep 2 for late users
# Off-peak (8 PM - 7 AM):
OffPeakMinimumHosts = 1 # Keep 1 for emergencies
OffPeakLoadThreshold = 90%Scaling Best Practices
- โธDepthFirst + Autoscale โ maximizes cost savings. Packs users on fewer hosts โ shuts down empty ones.
- โธStart VM On Connect โ enable for personal host pools. VM starts when user connects (vs pre-warming).
- โธDrain mode โ use instead of forced logoff. Users keep sessions, no new ones allowed on draining host.
- โธReserved Instances โ buy 1-year RI for base capacity. Spot/On-demand for burst. 60โ70% cost reduction.
- โธCustom schedule โ align ramp-up to your org's timezone. Don't pre-warm 2 hours early.
- !Watch FSLogix detach โ ensure profile properly unmounts before VM shuts down. Set ClearCacheOnLogoff=1.
// VM SKU Sizing
Azure VM SKU Recommendations for AVD 2026
| VM SKU | vCPU | RAM | Local Storage | Use Case | Sessions/VM | Notes |
|---|---|---|---|---|---|---|
| Standard_D4s_v5 | 4 | 16 GB | None (remote) | Multi-session knowledge workers | 8โ12 | Best price/perf for general use. D-series v5 = 3rd gen Intel/AMD. No local disk. |
| Standard_D8s_v5 | 8 | 32 GB | None | Multi-session power workers | 16โ24 | Good density for Teams-heavy users. Most common pooled SKU. |
| Standard_D8as_v5 | 8 | 32 GB | None | AMD EPYC โ same workloads | 16โ24 | AMD variant โ often cheaper spot pricing. |
| Standard_Das_v5 Ephemeral | 4โ8 | 16โ32 GB | Local SSD (ephemeral) | Non-persistent, FSLogix Cloud Cache local | 12โ20 | Ephemeral OS disk = no managed disk cost. Use D: for FSLogix cache. Fastest logon. |
| Standard_NV4as_v4 | 4 | 14 GB | None | Light GPU (AMD Radeon Pro) | 1โ2 | 3D acceleration for general use. 1/8 GPU partition. Good for Office 3D, light CAD. |
| Standard_NV36ads_A10_v5 | 36 | 440 GB | None | Heavy GPU (NVIDIA A10) | 1โ4 (GPU limited) | Full NVIDIA A10 (24 GB). Revit, Solidworks, video edit. Most cost-effective GPU in Azure. |
| Standard_NC6s_v3 | 6 | 112 GB | 736 GB NVMe | ML / CUDA workloads | 1 | NVIDIA V100. Not typical VDI โ ML inference, AI rendering. |
Ephemeral OS Disk Tip: Use ephemeral OS disk (VM local NVMe) for non-persistent pools โ eliminates the OS disk managed disk cost (~$15โ20/month/VM). Enable in host pool VM creation. Place FSLogix cache on D: drive (ephemeral). Massive cost savings at scale (1,000 VMs = $15,000โ20,000/month savings).
// Monitoring & KQL
AVD Monitoring โ Azure Monitor & KQL Queries
Enable AVD Diagnostics โ Log Analytics workspace for full visibility. The AVD Insights Workbook in Azure Monitor provides out-of-box dashboards.
Useful KQL Queries
// Session connection errors (last 24h)
WVDConnections
| where TimeGenerated > ago(24h)
| where State == "Completed"
| where SessionDurationSeconds < 30
| project UserName, ClientOS, ClientIPAddress,
SessionDurationSeconds, DisconnectReasonDescription
| order by TimeGenerated desc
// Host pool capacity by session host
WVDAgentHealthStatus
| where TimeGenerated > ago(1h)
| summarize AvgCPU=avg(CPUUsage),
AvgMem=avg(MemoryUsage),
Sessions=max(ActiveSessions)
by SessionHostName
| order by Sessions desc
// FSLogix mount failures
Event
| where Source == "Microsoft-FSLogix-Apps"
| where EventID in (26, 27, 28)
| where TimeGenerated > ago(1h)
| project TimeGenerated, EventID,
RenderedDescription, Computer
| order by TimeGenerated desc
// Logon duration analysis
WVDConnections
| where TimeGenerated > ago(7d)
| where State == "Connected"
| summarize P50=percentile(LogonDuration,50),
P95=percentile(LogonDuration,95),
P99=percentile(LogonDuration,99)
by bin(TimeGenerated, 1h)Key Diagnostics to Enable
| Resource | Tables to Enable |
|---|---|
| Host Pool | WVDConnections, WVDErrors, WVDCheckpoints |
| Workspace | WVDFeeds |
| Session Host VMs | Perf, Event, WVDAgentHealthStatus |
| Azure Files | StorageFileLogs (throttling events) |
AVD Insights Workbook: Azure Monitor > Workbooks > AVD Insights (built-in). Shows: host pool capacity, connection reliability, logon duration, user experience score, FSLogix health โ all from Log Analytics. Enable diagnostics on Host Pool + Workspace + VMs for full data.
// Cost Optimization
AVD Cost Optimization โ The Big Levers
| Optimization | Savings Potential | How | Notes |
|---|---|---|---|
| Reserved Instances (1 or 3 yr) | 40โ60% off compute | Buy RI for base capacity (min always-on VMs) | 1-year RI = ~40% off. 3-year = ~60%. Commit to D-series that you'll always need. |
| Spot VMs (burst capacity) | 60โ90% off | Spot VMs for burst/ramp โ handle eviction gracefully | Non-persistent pools only. Spot eviction ends sessions. Warn users or use drain mode. |
| Autoscale (Scaling Plans) | 30โ50% off | Power off idle VMs during off-peak | DepthFirst + Scaling Plan = max density + min on VMs. Single biggest operational saving. |
| Ephemeral OS Disk | $15โ20/VM/month | Enable ephemeral OS disk on qualifying SKUs | D-series v5 with >=4 vCPU supports ephemeral. Eliminates Premium SSD OS disk charge. |
| Multi-Session (EVD) vs VDI | 5โ10ร density | Windows 11 EVD for task/knowledge workers vs single-session | D8s_v5 = 16โ24 users vs 2 single-session VMs. Game changer at scale. |
| Azure Hybrid Benefit | ~30% off Windows | Use existing Windows or Microsoft 365 licenses | M365 E3/E5 includes AVD user access. Windows Server licenses via AHUB for server sessions. |
| Azure Files Premium Sizing | Avoid over-provisioning | Provision exactly what you need (charged per-provisioned TiB) | 1 TiB = $0.17/GB/month. Monitor usage. Scale up if needed โ scale down requires new share. |
// Related Pages