Intune Configuration Profiles for AVD Optimization

This article is designed to give you an overview of how to optimize your Azure Virtual Desktop (#AVD) virtual machines managed by Intune and based on the Windows 10/11 multi-session operating system.

Table of contents

  1. How to configure profiles
  2. Windows 11/10 multi-session settings (Computer Settings only)
  3. How to import an Intune device configuration profile
  4. Where is the option “gpupdate /force”?
  5. Troubleshooting

How to configure profiles

  1. Open the Intune Console and sign-in with your Intune Administrator or different user who has enough permission to configure Windows policies.
  2. Navigate to Devices > Windows > Configuration profiles and click on Create profile.
  3. Select Windows 10 and later as the Platform and Settings catalog (preview) as the Profile type. Then click on Create.

  1. Enter your profile name following your naming convention and Next.
  2. Click on Add settings to open the settings catalog.

  1. Add the following filter in the settings picker to get only the supported settings for Windows 10/11 Enterprise multi-session.

  1. Now you can search for a setting and enable this setting for your profile.

Note: The user settings are shown as (users).

  1. After pick your settings, you need to configure these settings and click on Next.
  2. Assign this profile to a device or user group for non-multi-session operating systems and Next.
  3. Configure a Scope tag if needed otherwise Next and then Review + create for creating this Configuration Profile.

Windows 11/10 multi-session settings

User & Device settings for Windows 11/10 multi-session are now in generally available. See more details here.

These computer settings are based on the Virtual-Desktop-Optimization-Tool:

SettingValue
Force a specific default lock screen and logon imageEnabled
Path to lock screen image: (Device)C:Windowswebscreenimg105.jpg
Turn off fun facts, tips, tricks, and more on lock screen (Device)True
Allow BITS PeercachingDisabled
Do not allow the computer to act as a BITS Peercaching clientEnabled
Do not allow the computer to act as a BITS Peercaching serverEnabled
Specify passive pollingEnabled
Disable passive polling (Device)True
Turn off “Found New Hardware” balloons during device installationEnabled
Continue experiences on this deviceDisabled
Turn off access to all Windows Update featuresEnabled
Turn off Event Viewer “Events.asp” linksEnabled
Turn off Help and Support Center “Did you know?” contentEnabled
Turn off Help and Support Center Microsoft Knowledge Base searchEnabled
Turn off Registration if URL connection is referring to Microsoft.comEnabled
Turn off Search Companion content file updatesEnabled
Turn off Windows Customer Experience Improvement ProgramEnabled
Turn off Windows Update device driver searchingEnabled
Do not display the Getting Started welcome screen at logonEnabled
Show clear logon backgroundEnabled
Turn off System RestoreEnabled
Configure Scheduled Maintenance BehaviorDisabled
Execution Level (Device)Regular
Configure Security Policy for Scripted DiagnosticsDisabled
Troubleshooting: Allow users to access and run Troubleshooting WizardsDisabled
Troubleshooting: Allow users to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via the Windows Online Troubleshooting Service – WOTS)Disabled
Turn off Inventory CollectorEnabled
Set the default behavior for AutoRunEnabled
Default AutoRun BehaviorDo not execute any autorun commands
Do not allow window animationsEnabled
Do not show the ‘new application installed’ notificationEnabled
Prevent the computer from joining a homegroupEnabled
Allow Microsoft services to provide enhanced suggestions as the user types in the Address barDisabled
Turn off sensorsEnabled
Turn off Windows Location ProviderEnabled
Do Not Show First Use Dialog BoxesEnabled
Allow Configuration Update For Books LibraryBlock
Allow PrelaunchBlock
Allow Web Content On New Tab PageBlock
Always Enable Books LibraryDisabled
DO Download Mode9 – Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. Added in Windows 10 Version 1607.
Allow Find My DeviceBlock
Configure Chat IconDisabled
Do Not Show Feedback NotificationsFeedback notifications are disabled.
Allow Edge SwipeBlock
Allow Offline Maps Download Over Metered ConnectionDisabled.Force disable auto-update over metered connection.
Allow Game DVRBlock
Allow user feedbackDisabled
Automatically import another browser’s data and settings at first runEnabled
Automatically import another browser’s data and settings at first run (Device)Disables automatic import and the import section of the first-run experience is skipped
Block all ads on Bing search resultsEnabled
Hide the First-run experience and splash screenEnabled
Disable Advertising IDDisabled
Allow Online TipsBlock
Allow Disk Health Model UpdatesDo not allow
Allow Linguistic Data CollectionBlock
Allow widgetsNot allowed
Manage Preview BuildsDisable Preview builds

The settings for chat icon and widgets are effective only on Windows 11.

How to import an Intune device configuration profile

You can automatically provide these settings in the Intune configuration profile via MS Graph or via Intune portal. However, you need a template file with all the optimized settings. Here you can download our exported JSON policy template file.

First open the Micorosft Intune Admin Center (https://in.cmd.ms) and then navigate to Devices and Configuration Profiles.

Next, click on Create and then select Import policy to import a policy from a JSON file.

This Intune Import Policy feature is currently in public preview.

Select the policy template file (JSON), e.g. DeviceConfig-WIN-VDI-Optimization_2023-11-20.json, and enter a name for your new device configuration profile, then click Save.

And now your VDI optimization device configuration profile is available and you can change the settings.

Where is the option “gpupdate /force”?

Short answer: It’s gone and it’s not coming back. Without Hybrid-Joined Machine, Active Directory features like Group Policy objects are not available. Azure Active Directory connected machines are managed only by Intune configuration profiles.

However, there is a way to manually synchronize the latest MDM settings from the client. Run the following commands in the evaluated Powershell:

Get-ScheduledTask | ? {$_.TaskName -eq "PushLaunch"} | Start-ScheduledTask                      
Get-ScheduledTask | ? {$_.TaskName -eq "Schedule to run OMADMClient by client"} | Start-ScheduledTask

As Administrator, you will find many Schedule Tasks for the MDM Synchronization under Microsoft > Windows > EnterpriseMgmt > GUID in the Task Scheduler. In addition, it is shown at which times the sync is executed automatically (Schedule #1 to #3).

If you want to perform synchronization from the Endpoint Manager / Intune administration panel, you can select your Windows 10/11 device and use the “Sync” button.

It takes some time for the check-in time to be updated in the device overview table.

Troubleshooting

How to collect logs directly from the client

Windows 10/11 includes a MDM diagnostic tool called mdmdiagnosticstool.exe that collects all information and log files from the client directly to a CAB, XML or ZIP file.

The commands can be performed via CMD or Powershell.

The output paths are examples and must be modified to best fit your environment.

This command creates a collection of all important log files, which in most cases help to solve the problems.

mdmdiagnosticstool.exe -out C:UsersPublicDocuments

Here is an example for output:

The file MDMDiagReport.html gives a good overview of the MDM status and which policies are applied and which are not. It is comparable to the good old gpresult tool.

For deeper analysis, you can use this command to create a CAB file that contains more event logs, tpm information, and more.

mdmdiagnosticstool.exe -area DeviceEnrollment;DeviceProvisioning;Autopilot -cab C:UsersPublicDocumentsMDMDiagReport.cab

How to see applied configuration profiles in Intune

  1. Open the Microsoft Endpoint Manager and sign-in with your Intune Administrator or different user who has enough permission to configure Windows policies.
  2. Navigate to Devices > Windows and select the device you want to check.
  3. Open the Device Configuration and select the settings catalog policy.

  1. Then you will get an overview of all settings, whether they were applied, failed or not applied. You can click on each setting to get more information, for example about the error message.

The status “Not applicable” means that specific settings are not supported by the Windows version or edition running on the VM.


Posted

in

by

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *