Configure Azure Local HCI with AVD

Requirements (plan before you touch anything)

Platform & versions

• Azure Local (Azure Stack HCI) cluster at 23H2 or later and registered to Azure via Arc.

• Session-host OS options supported on Azure Local: Windows 11/10 Enterprise (single or multi-session), Windows Server 2019/2022/2025.

Identity

• For Azure Local, session hosts must be joined to Active Directory Domain Services (AD DS) (Entra hybrid-join is fine). Don’t mix join types in a host pool.

Licensing

• AVD access (per-user) + Windows entitlement for multi-session, FSLogix rights included with eligible Microsoft 365/Windows licenses. (See AVD/FSLogix prerequisite pages.)

Networking

• Stable DNS/NTP; routable VLAN(s) for management, storage, and VM/AVD traffic.

• Allow outbound AVD control plane traffic and enable RDP Shortpath (UDP) to session hosts (UDP 3390 by default).

User profiles

• Plan FSLogix Profile Containers (recommended); storage can be Azure Files (joined to AD DS) or SMB shares on your HCI file servers/SOFS.

GPU (optional)

• If you need graphics/AI acceleration, plan supported GPUs and (optionally) GPU-P/partitioning across hosts.

Build/validate the Azure Local (HCI) cluster

1. Hardware & BIOS
   Validate in the vendor catalog; enable virtualization, TPM/Secure-core as required.

2. Install Azure Local 23H2 on each node, then cluster and register to Azure (Arc). (If you’re labbing, Microsoft has a virtual deployment walkthrough.)

3. Networking/storage
   Configure your VLANs, DCB if using SMB Direct, create S2D pool and CSV(s) for VM storage.

Prepare identity & RBAC

1. AD DS
   Ensure domain controllers are reachable from the host VLANs. Create OU(s) and service groups for AVD hosts.

2. Entra Connect (optional but common)
   Sync AD to Microsoft Entra ID for user auth/assignment in AVD.

3. Azure RBAC
   Give your operators the necessary AVD roles (e.g., Desktop Virtualization Contributor) in the target subscription/resource group.

Prep networking for AVD & RDP Shortpath

1. Outbound to AVD services from session hosts (per Microsoft service tags).

2. Enable RDP Shortpath (managed/private networks):

   • Turn on the UDP listener on port 3390 (default) and allow inbound UDP 3390 to the session hosts; ensure client outbound UDP 3390.

   • Verify with Test-NetConnection <SessionHostFQDN> -Port 3390 -InformationLevel Detailed.

Create AVD core objects (Azure)

1. In the Azure portal, open Azure Virtual Desktop → Host pools → Create.

   • Choose pooled (multi-user) or personal.

   • Assign a managed identity to the host pool (newer model for session-host management).

2. Create Application group(s) (Desktop/RemoteApp) and a Workspace, then assign users/groups.

Note: Don’t mix session hosts on Azure and on Azure Local in the same host pool. Keep pools homogeneous. Azure Documentation

Deploy session-host VMs on Azure Local

1. Golden image

   • Use a supported image (e.g., Windows 11 Enterprise multi-session) fully patched and with your base apps/agents.

2. VM placement

   • Create the VMs on your HCI cluster (CSV storage) with the tenant/user VLAN.

   • Join to AD DS during/after provisioning (required on Azure Local).

3. Register session hosts to AVD

   • Install the AVD agent & bootloader, or use the Azure portal’s “Add session hosts” workflow pointing at Azure Local hosts.

4. GPO/baseline

   • Apply security baselines and policies for AVD (time zone redirection, screensaver, printer/clipboard if needed).

Configure FSLogix (profiles)

1. Install FSLogix on the image or via software deployment.

2. Create the profile share (Azure Files joined to AD, or on-prem SMB with proper NTFS/SMB permissions).

3. Set FSLogix GPOs (e.g., VHDLocations, Enabled=1, container size/type VHDX, exclusions).

4. Antivirus exclusions for FSLogix paths.

Enable/verify RDP Shortpath

• Ensure the session host firewall and network firewall allow UDP 3390 inbound; client side outbound UDP 3390.

• If you customize the port, update policy accordingly.

• Validate in production by checking connection properties/monitoring (Shortpath state).

Publish, test, and assign

1. Publish Desktop/Apps to the app group(s).

2. Assign users/groups to the app group.

3. Test with Windows App / web client from a representative client network.

Monitoring, updates, and operations

• Diagnostics & Log Analytics for AVD (enable diagnostic settings on host pools).

• Session host updating: use the host pool’s managed identity & modern session-host update workflow.

• Shortpath monitoring: watch UDP success rate; troubleshoot networking if you see TCP fallbacks.

Optional: GPUs on Azure Local for AVD

• Prepare GPUs on each host; confirm support; if sharing, configure GPU-P partitioning consistently across nodes (Azure CLI/WAC workflows).

• Attach partitions or passthrough GPUs to your session-host VMs; validate with tools

Quick command & policy pointers (drop-in)

• Test Shortpath reachability

  Test-NetConnection <SessionHostFQDN> -Port 3390 -InformationLevel Detailed
  

  Microsoft Learn

• FSLogix core reg/GPO keys (examples)

  • HKLM\SOFTWARE\FSLogix\Profiles\Enabled=1 (DWORD)

  • HKLM\SOFTWARE\FSLogix\Profiles\VHDLocations=\\fileserver\profiles
    (See Microsoft’s “Configure profile containers” for the full matrix.)

High-level flow you can follow in order

1. Build/validate HCI 23H2, Arc-register. Microsoft Learn

2. Prep AD DS + (optionally) Entra Connect + RBAC. Microsoft Learn

3. Open firewalls; enable/verify Shortpath (UDP 3390). Microsoft Learn

4. Create AVD host pool, app group, workspace (Azure). Microsoft Learn

5. Deploy session hosts on HCI (Win 11/10 multi-session), AD-join, install agents, register to host pool. Microsoft Learn

6. Configure FSLogix and storage. Microsoft Learn

7. Publish desktops/apps, assign users, test with Windows App. Microsoft Learn

8. Enable diagnostics/Insights; set up update rings; monitor Shortpath health. Microsoft Learn