Field Notes: AVD Multi-session + Intune

Written By Adam Clifford

Issue:

I was pulled in by one of our AVD engineers yesterday for an assist getting multi-session AVDs enrolled in MEMC. This capability is relatively new, and just hit general availability.

Troubleshooting:

Microsoft lists the following prerequisites for onboarding multisession AVD

  • Running Windows 10 multi-session, version 1903 or later, or running Windows 11 multi-session.

  • Set up as remote desktops in pooled host pools that have been deployed through Azure Resource Manager.

  • Running an Azure Virtual Desktop agent version of 1.0.2944.1400 or later.

  • Hybrid Azure AD-joined and enrolled in Microsoft Intune using one of the following methods:

    • Configured with Active Directory group policy, set to use Device credentials, and set to automatically enroll devices that are Hybrid Azure AD-joined.

    • Configuration Manager co-management.

  • Azure AD-joined and enrolled in Microsoft Intune by enabling Enroll the VM with Intune in the Azure portal.

After connecting to the VM, I noticed that the machine was getting the GPO to enable hybrid join, Azure AD SSO, and Intune auto-enrollment, and looking at dsregcmd /status showed a successful hybrid join. Two other things I noticed from the dsregcmd output was that the machine was pulling all off the correct MDM URLs, and that a PRT was not issued at login. PRTs are required to successfully auto-enroll a typical workstation, so that stood out.

The auto-enrollment scheduled task was created, but when running was issuing the following error under event ID 52

MDM Enroll: Server Returned Fault/Code/Subcode/Value=(MessageFormat) Fault/Reason/Text=(Unsupported enrollment for multisession devices with enrollment type: WVDHybridAzureADJoin; user: 1830fa78-a099-49d5-9a78-b233e4995f55).

Solution:

Digging into the documentation for multi-session in MEM Microsoft repeatedly points out that CSPs and other assignments can only be made to devices, not users. This makes sense as on a multi-session workstation there is no primary user. Based on that I updated the GPO for intune auto-enrollment to use the device credential instead of the credential of the singed in user. Once that was done, and the AVDs were all rebooted, they started popping into MEM pretty quickly!

Pro-tip:

To make it easier to assign policies to your AVDs in MEMC, create a dynamic distribution group based off either your AVD naming convention, or the OS type which identifies itself as Windows Enterprise Multi-session!

Adam Clifford
Previous

MFA Bypass Attacks & You!
Next

GPO Analyzer Automation Tool