Merge pull request #194616 from davidbel/davidbel-aadj-update

LJSpiller · web-flow · commit 0fd41e73f0bb · 2022-04-11T22:22:19.000-04:00
Minor updates to AADJ deployment guide
diff --git a/articles/virtual-desktop/deploy-azure-ad-joined-vm.md b/articles/virtual-desktop/deploy-azure-ad-joined-vm.md
@@ -7,7 +7,7 @@ manager: lizross
 
 ms.service: virtual-desktop
 ms.topic: how-to
-ms.date: 01/24/2022
+ms.date: 04/11/2022
 ms.author: helohr
 ---
 
@@ -22,32 +22,31 @@ The following configurations are currently supported with Azure AD-joined VMs:
 - Personal desktops with local user profiles.
 - Pooled desktops used as a jump box. In this configuration, users first access the Azure Virtual Desktop VM before connecting to a different PC on the network. Users shouldn't save data on the VM.
 - Pooled desktops or apps where users don't need to save data on the VM. For example, for applications that save data online or connect to a remote database.
+- Personal or pooled desktops with FSLogix user profiles with synced users from Active Directory.
 
-User accounts can be cloud-only or hybrid users from the same Azure AD tenant.
+User accounts can be cloud-only or synced users from the same Azure AD tenant.
 
 ## Known limitations
 
 The following known limitations may impact access to your on-premises or Active Directory domain-joined resources and should be considered when deciding whether Azure AD-joined VMs are right for your environment. We currently recommend Azure AD-joined VMs for scenarios where users only need access to cloud-based resources or Azure AD-based authentication.
 
 - Azure Virtual Desktop (classic) doesn't support Azure AD-joined VMs.
 - Azure AD-joined VMs don't currently support external users.
-- Azure AD-joined VMs only supports local user profiles at this time.
-- Azure AD-joined VMs can't access Azure Files file shares for FSLogix or MSIX app attach. You'll need Kerberos authentication to access either of these features.
+- Azure AD-joined VMs can only access Azure Files file shares for synced users using Azure AD Kerberos.
 - The Windows Store client doesn't currently support Azure AD-joined VMs.
 - Azure Virtual Desktop doesn't currently support single sign-on for Azure AD-joined VMs.
 
 ## Deploy Azure AD-joined VMs
 
-You can deploy Azure AD-joined VMs directly from the Azure portal when you [create a new host pool](create-host-pools-azure-marketplace.md) or [expand an existing host pool](expand-existing-host-pool.md). To deploy an Azure AD-joined VM, open the **Virtual Machines** tab, then select whether to join the VM to Active Directory or Azure Active Directory. Selecting **Azure Active Directory** gives you the option to enroll VMs with Intune automatically, which lets you easily manage [Windows 10 Enterprise](/mem/intune/fundamentals/windows-virtual-desktop) and [Windows 10 Enterprise multi-session](/mem/intune/fundamentals/windows-virtual-desktop-multi-session) VMs. Keep in mind that the Azure Active Directory option will only join VMs to the same Azure AD tenant as the subscription you're in.
+You can deploy Azure AD-joined VMs directly from the Azure portal when you [create a new host pool](create-host-pools-azure-marketplace.md) or [expand an existing host pool](expand-existing-host-pool.md). To deploy an Azure AD-joined VM, open the **Virtual Machines** tab, then select whether to join the VM to Active Directory or Azure Active Directory. Selecting **Azure Active Directory** gives you the option to enroll VMs with Intune automatically, which lets you easily [manage your session hosts](management.md). Keep in mind that the Azure Active Directory option will only join VMs to the same Azure AD tenant as the subscription you're in.
 
 > [!NOTE]
-> - Host pools should only contain VMs of the same domain join type. For example, AD-joined VMs should only be with other AD VMs, and vice-versa.
-> - The host pool VMs must be Windows 10 single-session or multi-session, version 2004 or later.
-> - Managing Azure Virtual Desktop session hosts using Microsoft Endpoint Manager (Intune) is currently only supported in the Azure Public cloud.
+> - Host pools should only contain VMs of the same domain join type. For example, Azure AD-joined VMs should only be with other Azure AD VMs, and vice-versa.
+> - The host pool VMs must be Windows 11 or Windows 10 single-session or multi-session, version 2004 or later.
 
 ### Assign user access to host pools
 
-After you've created your host pool, you must assign users access to let them access their resources. To grant access to resources, add each user to the app group. Follow the instructions in [Manage app groups](manage-app-groups.md) to assign user access to apps and desktops. We recommend that you use user groups instead of individual users wherever possible.
+After you've created your host pool, you must assign users access to their resources. To grant access to resources, add each user to the app group. Follow the instructions in [Manage app groups](manage-app-groups.md) to assign user access to apps and desktops. We recommend that you use user groups instead of individual users wherever possible.
 
 For Azure AD-joined VMs, you'll need to do two extra things on top of the requirements for Active Directory or Azure Active Directory Domain Services-based deployments:  
 
@@ -62,11 +61,11 @@ This section explains how to access Azure AD-joined VMs from different Azure Vir
 
 ### Connect using the Windows Desktop client
 
-The default configuration supports connections from Windows 10 using the [Windows Desktop client](user-documentation/connect-windows-7-10.md). You can use your credentials, smart card, [Windows Hello for Business certificate trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust) or [Windows Hello for Business key trust with certificates](/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs) to sign in to the session host. However, to access the session host, your local PC must meet one of the following conditions:
+The default configuration supports connections from Windows 11 or Windows 10 using the [Windows Desktop client](user-documentation/connect-windows-7-10.md). You can use your credentials, smart card, [Windows Hello for Business certificate trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust) or [Windows Hello for Business key trust with certificates](/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs) to sign in to the session host. However, to access the session host, your local PC must meet one of the following conditions:
 
 - The local PC is Azure AD-joined to the same Azure AD tenant as the session host
 - The local PC is hybrid Azure AD-joined to the same Azure AD tenant as the session host
-- The local PC is running Windows 10, version 2004 and later, and is Azure AD registered to the same Azure AD tenant as the session host
+- The local PC is running Windows 11 or Windows 10, version 2004 or later, and is Azure AD registered to the same Azure AD tenant as the session host
 
 To enable access from Windows devices not joined to Azure AD, add **targetisaadjoined:i:1** as a [custom RDP property](customize-rdp-properties.md) to the host pool. These connections are restricted to entering user name and password credentials when signing in to the session host.
 
@@ -80,7 +79,7 @@ You can enable [multifactor authentication](set-up-mfa.md) for Azure AD-joined V
 
 ## User profiles
 
-You can use FSLogix profile containers with Azure AD-joined VMs when you store them on Azure Files. For more information, see [Create a profile container with Azure Files and Azure AD](create-profile-container-azure-ad.md).
+You can use FSLogix profile containers with Azure AD-joined VMs when you store them on Azure Files while using synced user accounts. For more information, see [Create a profile container with Azure Files and Azure AD](create-profile-container-azure-ad.md).
 
 ## Accessing on-premises resources
 
