Fixing numbering, alignment and adding links

Author: dknappettmsft

articles/virtual-desktop/configure-rdp-shortpath.md

@@ -20,8 +20,11 @@ Before you can enable RDP Shortpath, you'll need to meet the prerequisites. Sele
 # [Managed networks](#tab/managed-networks)
 
 - A client device running the [Remote Desktop client for Windows](users/connect-windows.md), version 1.2.3488 or later. Currently, non-Windows clients aren't supported.
+
 - Direct line of sight connectivity between the client and the session host. Having direct line of sight connectivity means that the client can connect directly to the session host on port 3390 (default) without being blocked by firewalls (including the Windows Firewall) or Network Security Group, and using a managed network such as:
+
   - [ExpressRoute private peering](../expressroute/expressroute-circuit-peerings.md).
+
   - Site-to-site or Point-to-site VPN (IPsec), such as [Azure VPN Gateway](../vpn-gateway/vpn-gateway-about-vpngateways.md).
 
 # [Public networks](#tab/public-networks)
@@ -30,8 +33,13 @@ Before you can enable RDP Shortpath, you'll need to meet the prerequisites. Sele
 > RDP Shortpath for public networks with STUN or TURN will work automatically without any additional configuration, providing networks and firewalls allow the traffic through and RDP transport settings in the Windows operating system for session hosts and clients are using their default values. The steps to configure RDP Shortpath for public networks are provided for session hosts and clients in case these defaults have been changed. 
 
 - A client device running the [Remote Desktop client for Windows](users/connect-windows.md), version 1.2.3488 or later. Currently, non-Windows clients aren't supported.
-- Internet access for both clients and session hosts. Session hosts require outbound UDP connectivity from your session hosts to the internet or connections to STUN and TURN servers. To reduce the number of ports required, you can [limit the port range used by clients for public networks](configure-rdp-shortpath-limit-ports-public-networks.md). RDP Shortpath doesn't support Symmetric NAT. For more information you can use to configure firewalls and Network Security Groups, see [Network configurations for RDP Shortpath](rdp-shortpath.md?tabs=public-networks#network-configuration).
+
+- Internet access for both clients and session hosts. Session hosts require outbound UDP connectivity from your session hosts to the internet or connections to STUN and TURN servers. To reduce the number of ports required, you can [limit the port range used by clients for public networks](configure-rdp-shortpath-limit-ports-public-networks.md).
+
+   RDP Shortpath doesn't support Symmetric NAT. For more information you can use to configure firewalls and Network Security Groups, see [Network configurations for RDP Shortpath](rdp-shortpath.md?tabs=public-networks#network-configuration).
+
 - Check your client can connect to the STUN and TURN endpoints and verify that basic UDP functionality works by running the executable `avdnettest.exe`. For steps of how to do this, see [Verifying STUN/TURN server connectivity and NAT type](troubleshoot-rdp-shortpath.md#verifying-stunturn-server-connectivity-and-nat-type).
+
 - To use TURN, the connection from the client must be within a supported location. For a list of Azure regions that TURN is available, see [supported Azure regions with TURN availability](rdp-shortpath.md#turn-availability-preview).
 
 > [!IMPORTANT]
@@ -51,14 +59,12 @@ To enable RDP Shortpath for managed networks, you need to enable the RDP Shortpa
 
 1. Download the [Azure Virtual Desktop administrative template](https://aka.ms/avdgpo) and extract the contents of the .cab file and .zip archive.
 
-1. Depending on whether you want to configure Group Policy centrally from your domain, or locally for each session host:
-   
-   **AD Domain**:
-   1. Copy and paste the **terminalserver-avd.admx** file to the Central Store for your domain, for example `\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions`, where *contoso.com* is your domain name. Then copy the **en-us\terminalserver-avd.adml** file to the `en-us` subfolder.
+1. Depending on whether you want to configure Group Policy centrally from your AD domain, or locally for each session host:
+
+   1. **AD Domain**: Copy and paste the **terminalserver-avd.admx** file to the Central Store for your domain, for example `\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions`, where *contoso.com* is your domain name. Then copy the **en-us\terminalserver-avd.adml** file to the `en-us` subfolder.
    1. Open the **Group Policy Management Console** (GPMC) and create or edit a policy that targets your session hosts.
 
-   **Locally**:
-   1. Copy and paste the **terminalserver-avd.admx** file to `%windir%\PolicyDefinitions`. Then copy the **en-us\terminalserver-avd.adml** file to the `en-us` subfolder.
+   1. **Locally**: Copy and paste the **terminalserver-avd.admx** file to `%windir%\PolicyDefinitions`. Then copy the **en-us\terminalserver-avd.adml** file to the `en-us` subfolder.
    1. Open the **Local Group Policy Editor** on the session host.
 
 1. Browse to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Remote Desktop Services** > **Remote Desktop Session Host** > **Azure Virtual Desktop**. You should see policy settings for Azure Virtual Desktop, as shown in the following screenshot:
@@ -67,10 +73,9 @@ To enable RDP Shortpath for managed networks, you need to enable the RDP Shortpa
 
 1. Open the policy setting **Enable RDP Shortpath for managed networks** and set it to **Enabled**. If you enable this policy setting, you can also configure the port number that Azure Virtual Desktop session hosts will use to listen for incoming connections. The default port is **3390**.
 
-1. If you need to configure Windows Firewall to allow port 3390, run one of the following commands, depending on whether you want to configure Windows Firewall using Group Policy centrally from your domain, or locally for each session host:
+1. If you need to configure Windows Firewall to allow port 3390, run one of the following commands, depending on whether you want to configure Windows Firewall using Group Policy centrally from your AD domain, or locally for each session host:
 
-   **AD Domain**:
-   1. Open an elevated PowerShell prompt and run the following command, replacing the value for `$domainName` with your own domain name, the value for `$writableDC` with the hostname of a writeable domain controller, and the value for `$policyName` with the name of an existing Group Policy Object:
+   1. **AD Domain**: Open an elevated PowerShell prompt and run the following command, replacing the value for `$domainName` with your own domain name, the value for `$writableDC` with the hostname of a writeable domain controller, and the value for `$policyName` with the name of an existing Group Policy Object:
 
       ```powershell
       $domainName = "contoso.com"
@@ -83,8 +88,7 @@ To enable RDP Shortpath for managed networks, you need to enable the RDP Shortpa
       Save-NetGPO -GPOSession $gpoSession
       ```
 
-   **Locally**:
-   1. Open an elevated PowerShell prompt and run the following command:
+   1. **Locally**: Open an elevated PowerShell prompt and run the following command:
    
       ```powershell
       New-NetFirewallRule -DisplayName 'Remote Desktop - RDP Shortpath (UDP-In)'  -Action Allow -Description 'Inbound rule for the Remote Desktop service to allow RDP Shortpath traffic. [UDP 3390]' -Group '@FirewallAPI.dll,-28752' -Name 'RemoteDesktop-UserMode-In-RDPShortpath-UDP' -PolicyStore PersistentStore -Profile Domain, Private -Service TermService -Protocol UDP -LocalPort 3390 -Program '%SystemRoot%\system32\svchost.exe' -Enabled:True
@@ -96,13 +100,11 @@ To enable RDP Shortpath for managed networks, you need to enable the RDP Shortpa
 
 If you need to configure session hosts and clients to enable RDP Shortpath for public networks because their default settings have been changed, follow these steps. You can do this using Group Policy, either centrally from your domain for session hosts that are joined to an Active Directory (AD) domain, or locally for session hosts that are joined to Azure Active Directory (Azure AD).
 
-1. Depending on whether you want to configure Group Policy centrally from your domain, or locally for each session host:
-   
-   **AD Domain**:
-   1. Open the **Group Policy Management Console** (GPMC) and create or edit a policy that targets your session hosts.
+1. Depending on whether you want to configure Group Policy centrally from your AD domain, or locally for each session host:
+
+   1. **AD Domain**: Open the **Group Policy Management Console** (GPMC) and create or edit a policy that targets your session hosts.
    
-   **Locally**:
-   1. Open the **Local Group Policy Editor** on the session host.
+   1. **Locally**: Open the **Local Group Policy Editor** on the session host.
 
 1. Browse to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Remote Desktop Services** > **Remote Desktop Session Host** > **Connections**.
 
@@ -124,7 +126,9 @@ The steps to ensure your clients are configured correctly are the same regardles
 To configure managed and unmanaged Windows clients using Group Policy:
 
 1. Depending on whether you want to configure managed or unmanaged clients:
+
     1. For managed clients, open the **Group Policy Management Console** (GPMC) and create or edit a policy that targets your clients.
+
     1. For unmanaged clients, open the **Local Group Policy Editor** on the client.
 
 1. Browse to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Remote Desktop Services** > **Remote Desktop Connection Client**.
@@ -139,7 +143,7 @@ To configure managed Windows clients using Intune:
 
 1. Sign in to the [Endpoint Manager admin center](https://endpoint.microsoft.com/).
 
-1. Create or edit a configuration profile for **Windows 10 and later** devices, using Administrative templates.
+1. [Create or edit a configuration profile](/mem/intune/configuration/administrative-templates-windows) for **Windows 10 and later** devices, using Administrative templates.
 
 1. Browse to **Windows Components** > **Remote Desktop Services** > **Remote Desktop Connection Client**.
 
@@ -213,8 +217,11 @@ If you're using [Azure Log Analytics](./diagnostics-log-analytics.md), you can m
 The possible values are:
 
 - **1** - The user connection is using RDP Shortpath for managed networks.
+
 - **2** - The user connection is using RDP Shortpath for public networks directly using STUN.
+
 - **4** - The user connection is using RDP Shortpath for public networks indirectly using TURN.
+
 - For any other value, the user connection isn't using RDP Shortpath and is connected using TCP.
 
 The following query lets you review connection information. You can run this query in the [Log Analytics query editor](../azure-monitor/logs/log-analytics-tutorial.md#write-a-query). For each query, replace `[email protected]` with the UPN of the user you want to look up.
@@ -254,12 +261,10 @@ To disable RDP Shortpath for managed networks on your session hosts, you need to
 Alternatively, you can block port **3390** (default) to your session hosts on a firewall or Network Security Group.
 
 1. Depending on whether you want to configure Group Policy centrally from your domain, or locally for each session host:
-   
-   **AD Domain**:
-   1. Open the **Group Policy Management Console** (GPMC) and edit the existing policy that targets your session hosts.
 
-   **Locally**:
-   1. Open the **Local Group Policy Editor** on the session host.
+   1. **AD Domain**: Open the **Group Policy Management Console** (GPMC) and edit the existing policy that targets your session hosts.
+
+   1. **Locally**: Open the **Local Group Policy Editor** on the session host.
 
 1. Browse to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Remote Desktop Services** > **Remote Desktop Session Host** > **Azure Virtual Desktop**. You should see policy settings for Azure Virtual Desktop providing you have the administrative template from when you enabled RDP Shortpath for managed networks.
 
@@ -277,12 +282,10 @@ To disable RDP Shortpath for public networks on your session hosts, you can set
 Alternatively, if you want to disable RDP Shortpath for public networks only, you'll need to block access to the STUN endpoints on a firewall or Network Security Group. The IP addresses for the STUN endpoints can be found in the table for [Session host virtual network](rdp-shortpath.md#session-host-virtual-network).
 
 1. Depending on whether you want to configure Group Policy centrally from your domain, or locally for each session host:
-   
-   **AD Domain**:
-   1. Open the **Group Policy Management Console** (GPMC) and edit the existing policy that targets your session hosts.
 
-   **Locally**:
-   1. Open the **Local Group Policy Editor** on the session host.
+   1. **AD Domain**: Open the **Group Policy Management Console** (GPMC) and edit the existing policy that targets your session hosts.
+
+   1. **Locally**: Open the **Local Group Policy Editor** on the session host.
 
 1. Browse to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Remote Desktop Services** > **Remote Desktop Session Host** > **Connections**.
 
@@ -298,13 +301,15 @@ On client devices, you can disable RDP Shortpath for managed networks and public
 
 > [!IMPORTANT]
 > If you have previously set RDP traffic to attempt to use both TCP and UDP protocols using Group Policy or Intune, ensure the settings don't conflict.
-> 
+
 #### Disable RDP Shortpath on managed and unmanaged Windows clients using Group Policy
 
 To configure managed and unmanaged Windows clients using Group Policy:
 
 1. Depending on whether you want to configure managed or unmanaged clients:
+
     1. For managed clients, open the **Group Policy Management Console** (GPMC) and create or edit a policy that targets your clients.
+
     1. For unmanaged clients, open the **Local Group Policy Editor** on the client.
 
 1. Browse to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Remote Desktop Services** > **Remote Desktop Connection Client**.
@@ -319,7 +324,7 @@ To configure managed Windows clients using Intune:
 
 1. Sign in to the [Endpoint Manager admin center](https://endpoint.microsoft.com/).
 
-1. Create or edit a configuration profile for **Windows 10 and later** devices, using Administrative templates.
+1. [Create or edit a configuration profile](/mem/intune/configuration/administrative-templates-windows) for **Windows 10 and later** devices, using Administrative templates.
 
 1. Browse to **Windows Components** > **Remote Desktop Services** > **Remote Desktop Connection Client**.
 

articles/virtual-desktop/rdp-shortpath.md

@@ -34,9 +34,13 @@ The transport used for RDP Shortpath is based on the [Universal Rate Control Pro
 Using RDP Shortpath has the following key benefits:
 
 - Using URCP to enhance UDP achieves the best performance by dynamically learning network parameters and providing the protocol with a rate control mechanism.
+
 - The removal of extra relay points reduces round-trip time, which improves connection reliability and user experience with latency-sensitive applications and input methods.
+
 - In addition, for managed networks:
+
   - RDP Shortpath brings support for configuring Quality of Service (QoS) priority for RDP connections through Differentiated Services Code Point (DSCP) marks.
+
   - The RDP Shortpath transport allows limiting outbound network traffic by specifying a throttle rate for each session.
 
 ## How RDP Shortpath works
@@ -45,13 +49,16 @@ To learn how RDP Shortpath works for managed networks and public networks, selec
 
 # [Managed networks](#tab/managed-networks)
 
-You can achieve the direct line of sight connectivity required to use RDP Shortpath with managed networks using the following methods. Having direct line of sight connectivity means that the client can connect directly to the session host without being blocked by firewalls.
+You can achieve the direct line of sight connectivity required to use RDP Shortpath with managed networks using the following methods.
 
 - [ExpressRoute private peering](../expressroute/expressroute-circuit-peerings.md)
+
 - Site-to-site or Point-to-site VPN (IPsec), such as [Azure VPN Gateway](../vpn-gateway/vpn-gateway-about-vpngateways.md)
 
+Having direct line of sight connectivity means that the client can connect directly to the session host without being blocked by firewalls.
+
 > [!NOTE]
-> - If you're using other VPN types to connect to Azure, we recommend using a UDP-based VPN. While most TCP-based VPN solutions support nested UDP, they add inherited overhead of TCP congestion control, which slows down RDP performance.
+> If you're using other VPN types to connect to Azure, we recommend using a UDP-based VPN. While most TCP-based VPN solutions support nested UDP, they add inherited overhead of TCP congestion control, which slows down RDP performance.
 
 To use RDP Shortpath for managed networks, you must enable a UDP listener on your session hosts. By default, port **3390** is used, although you can use a different port.
 
@@ -132,7 +139,7 @@ All connections begin by establishing a TCP-based [reverse connect transport](ne
 
 1. After RDP establishes the RDP Shortpath transport, all Dynamic Virtual Channels (DVCs), including remote graphics, input, and device redirection move to the new transport.
 
-If your users have both RDP Shortpath for managed network and public networks available to them, then the first-found algorithm will be used. The user will use whichever connection gets established first for that session.
+If your users have both RDP Shortpath for managed network and public networks available to them, then the first-found algorithm will be used, meaning that the user will use whichever connection gets established first for that session. For more information, see [example scenario 4](#scenario-4-3).
 
 > [!IMPORTANT]
 > When using a TCP-based transport, outbound traffic from session host to client is through the Azure Virtual Desktop Gateway. With RDP Shortpath for public networks using STUN, outbound traffic is established directly between session host and client over the internet. This removes a hop which improves latency and end user experience. However, due to the changes in data flow between session host and client where the Gateway is no longer used, there will be standard [Azure egress network charges](https://azure.microsoft.com/pricing/details/bandwidth/) billed in addition per subscription for the internet bandwidth consumed. To learn more about estimating the bandwidth used by RDP, see [RDP bandwidth requirements](rdp-bandwidth.md).
@@ -202,10 +209,15 @@ To improve the chances of a direct connection, on the side of the Remote Desktop
 Here are some general recommendations when using RDP Shortpath for public networks:
 
 - Avoid using force tunneling configurations if your users access Azure Virtual Desktop over the Internet.
+
 - Make sure you aren't using double NAT or Carrier-Grade-NAT (CGN) configurations.
+
 - Recommend to your users that they don't disable UPnP on their home routers.
+
 - Avoid using cloud packet-inspection Services.
+
 - Avoid using TCP-based VPN solutions.
+
 - Enable IPv6 connectivity or Teredo.
 
 ---