Could you please make a video on how to configure Hello for Buissness in AVD? I have a hybrid avd env and I am accessing the avd from my local device, do I need to domain join my local device as well to use the hello for buisness auth for AVD ?
In a Hybrid environment you would setup Win Hello first then your VMs ONLY do a traditional domain join. There should be a GPO in AD that will do the Cloud join after. Once that is setup then your AVD users will need to setup WebAuthN to use windows Hello pass through in their AVD sessions
Yet 2 years on and they still haven't fixed the black screen issue at sign in. When you'll connect to the AVD and it will get stuck, loading the profile. Or you'll get disconnected and the AVD user profile will get stuck disconnected, again with the black screen issue.
Since you setup the Kerberos Auth...I assume you have a Hybrid Join environment? If that is the case...did you configure Azure AD Connect for Hybrid Join and do you have a Group policy configured for Hybrid and Single Sign On?
I hear ya Paul. Remember how I said a ton of work went into windows to make this so easy…to do that workin win 10…let’s just say I will not hold my breath but many have commented asking for it…so I will go to the PG and push for it, just for you! ☺️
Hi Paul, I’m David and I own this feature on the Azure Virtual Desktop team. Thanks for the feedback and interest. Stay tuned for Windows 10, it's coming.
Hi, and congratulations for your channel! I've one question about performance and compatibility of Windows 11 vs Windows 10 in AVD environment. Actually I use only 21h2 Windows 10, is Windows 11 more heavy? Thanks!
Hi Rob, I’m David and I own this feature on the Azure Virtual Desktop team. You're welcome from the product group side 🙂 Feel free to leave feedback on the forum post at after giving it a try: techcommunity.microsoft.com/t5/azure-virtual-desktop/insider-preview-single-sign-on-and-passwordless-authentication/m-p/3608842
Hi Milos, I’m David and I own this feature on the Azure Virtual Desktop team. The official announcement was just posted on our Azure Virtual Desktop Forum. Windows 10 support is in progress but needs a Windows update. Stay tuned. techcommunity.microsoft.com/t5/azure-virtual-desktop/insider-preview-single-sign-on-and-passwordless-authentication/m-p/3608842
Hi Dean, loving the videos and tutorials. But for once i hit a road block. We have on-prem AD joined AVD session hosts. AVD with Windows 10 22h2 multi session. AVD session hosts are synced and hybrid azure ad joined. We have Created the ADKerberosServer object in on-prem AD. We enabled the sso aad option in rdp properties. Even disabled mfa. Added VM user login role. User is not in domain admin group. We use latest AVD/RD client but no SSO , we get a verification/authentication error. Also we cannot logon via web client anymore , we have to disable the aad sso rdp property so we can login again.
I haven’t run into that issue but sounds like you aren’t getting the Kerberos auth. Check the AD computer object for Azure AD Kerberos, verify that it is working properly
Thanks for watching! This solution Works with Azure AD Joined and Hybrid Joined VMs. Traditional AD joined needs my ADFS solution And Azure AD Domain Services joined does not now and will not support single sign on
Any idea if / when will be possible to log in with AAD from MacOs e.g. with fingerprint? Currently, this new Remote Desktop client is only allowing to log in with login name and password and only option to log in is to use Windows 11 with virtual TPM ( and it's not working perfectly... sometimes it's working, sometimes not 😔)
Are you asking when will the MAC client support Azure AD Join Single Sign on??? Not sure. Windows client is the only one today that supports this…but I know support for other clients is being worked on
Hi Mike, I’m David and I own this feature on the Azure Virtual Desktop team. Windows 10 support is in progress and will need a Windows update. Stay tuned.
It’s gunna be great! Updating host and updating images are 2 different things. For the image I would use Azure Image Builder to automate the whole process…makes it SO easy!
this is excellent news! hopefully support for other builds of Windows 10/11 will be available soon as well. I remember for anyone that is a Nerdio user the now legacy NFA product would deploy an ADFS proxy server to handle the double login.
Hello Dean, I have trouble now to deploy usual AVD Azure AD Join : Login failed RDP argument "targetisaadjoined" does not work and "enablerdsaadauth" does fix it the Azure AD user login :( Do you have idea good idea ? Thanks,
I assume you have BOTH of those RDP Properties set targetisaadjoined:i:1 & enablerdsaadauth:i:1 do you ALSO have the RBAC permissions set to allow Virtual Machine login?
@@AzureAcademy Yep. Even in the Microsoft Doc, targetisaadjoined argument RDP Properties is not anymore listed. Azure Portal does not allow targetisaadjoined but Powershell cmd still does :)
Is there a way for split brain domain customers to take advantage of this? When you have mismatched domain names ( one domain name for internal and one for Azure) you always get a pop up box to sign in no matter what type of SSON you try to use. Once you put in the domain name that matches your azure tennant at least you dont have to enter in the password. However, total SSON with no pop up would be great. Love the chanel! Do you have a slack or other chat group?
Thanks for watching and the question! Because the domain names are different true SSO would not be able to work. The domain name uses something called home realm discovery, which looks up the name and sees what services like SSO are enabled. If it can’t find it or read the services because it isn’t registered with Azure it prompts for creds. I do not currently have a discord or slack…not enough hours in the day…BUT if I am able to go full time RU-vidr then I would add lots of services ☺️one day soon I hope!
@@AzureAcademy In my case it's because i followed MS practice many years to have your on prem domain be .local. So mad at them for that. I wish Azure could say if its coming from trusted domain x.x.x.x its already syncing with AD then yeah, .internal is cool and replace it on the azure side.
Yeah…at the time it was a good security practice to segment your internet presence from your on prem But the cloud changed to many things…now we want to extend on prem to the cloud…and that requires a single domain name, and .local just doesn’t do it. I know how it feels to make this change I have had to do it myself and with many customers…it’s a pain but it does give you benefits like SSO
Hi Dean, can this be used on a non AAD or domain joined client? I want to use a Windows 10 IoT thin client running with a kiosk account and using the Remote Desktop Client, subscribe to my resources but when opening a desktop or application remove the second Windows Security prompt. Should that be possible with what you have described in the video? Thanks in advance 👍
This feature is only for Azure AD joined hosts There is another single sign on method using ADFS see here 👉 ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-_VOEi0cMBvQ.html
@@AzureAcademy Hi Dean, thanks for the prompt reply. So does the ADFS method work with non domain joined hosts, which would be ideal for a kiosk way of working. Just confirming before going down that route and setting up as I had read some comments from people complaining having to use ADFS as saw is as outdated. Many thanks and great content as always. 👍
No, SSO requires some kind of Join ADFS requires domain join. Azure AD SSO requires AADJoin or hybrid AVD requires some kind of join option in general And there is no SSO log in support for RDP without some kind of join
You do not mention needing Azure Active Directory Domain Services. does AVD still require AD DS? Also, have you done a video regarding Azure Netapp files? I am the under the assumption that ANF does not require AD DS. What are your thoughts? Thank you for your hard work.
Thanks for watching! Azure AD Domain Services does not work with ANY Single Sign On method. AVD Does NOT require Active Directory. You can implement Azure AD Join for your VMs, which means you only need Azure AD Azure NetApp Files does NOT require Active Directory but it does make things easier. Here is my video on ANF - Happy Learning! 👉ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-bswIbTB62mY.html
@@AzureAcademy Hi, the problem is that we cannot go full AZure AD join as we are using azure file shares with Azure AD Domain Services for security. there is no support for Azure AD to setup security at the moment for Azure file share or is there a solution?
Yes I've set Windows 11 version 22H2 Enterprise multi-session, had rdp properties set under advanced with enablerdsaadauth:i:1. I also created kerberos object as well. When on RDP client, I select the desktop and it still prompting for a password. Greatly appreciated with you can guide me what I did wrong.
Just so I’m asking the question right, I mean window machines not AVD session that are HaDJ. Have client in this state currently but wanting to go full cloud with AADJ away from HAADJ.
This feature for so you can connect to your AVD session hosts with SSO. As for AADJ or Hybrid Join outside of AVD...not sure, I haven't had a chance to try it. but the Hybrid / Azure AD Kerberos PowerShell scripts I was showing are for general use...so try it and please let me know!
