MicrosoftDocs
diff --git a/‎articles/virtual-desktop/add-session-hosts-host-pool.md
Lines changed: 24 additions & 8 deletions b/‎articles/virtual-desktop/add-session-hosts-host-pool.md
Lines changed: 24 additions & 8 deletions
diff --git a/‎articles/virtual-desktop/azure-ad-joined-session-hosts.md
Lines changed: 1 addition & 1 deletion b/‎articles/virtual-desktop/azure-ad-joined-session-hosts.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/virtual-desktop/deploy-azure-virtual-desktop.md
Lines changed: 31 additions & 44 deletions b/‎articles/virtual-desktop/deploy-azure-virtual-desktop.md
Lines changed: 31 additions & 44 deletions
@@ -46,17 +46,14 @@ This article shows you how to generate a registration key by using the Azure por
 
 For a general idea of what's required, such as supported operating systems, virtual networks, and identity providers, review the [prerequisites for Azure Virtual Desktop](prerequisites.md). In addition:
 
-::: zone pivot="host-pool-session-host-configuration"
-- You need an existing host pool with a session host configuration.
-::: zone-end
-
 ::: zone pivot="host-pool-standard"
 - You need an existing host pool with standard management. Each host pool must only contain session hosts on Azure or on Azure Local. You can't mix session hosts on Azure and on Azure Local in the same host pool.
-::: zone-end
-
 - If you have existing session hosts in the host pool, make a note of the virtual machine size, the image, and name prefix that you used. All session hosts in a host pool should have the same configuration, including the same identity provider. For example, a host pool shouldn't contain some session hosts joined to Microsoft Entra ID and some session hosts joined to an Active Directory domain.
+::: zone-end
 
 ::: zone pivot="host-pool-session-host-configuration"
+- You need an existing host pool with a session host configuration.
+
 - The Azure account you use must have the following built-in role-based access control (RBAC) roles or equivalent as a minimum on the resource group:
 
    | Action | RBAC role |
@@ -181,7 +178,10 @@ Here's how to generate a registration key by using the [desktopvirtualization](/
 ::: zone pivot="host-pool-session-host-configuration"
 ## Add session hosts
 
-You can use the Azure portal to specify the number of session hosts you want to add, then Azure Virtual Desktop automatically creates them based on the session host configuration. You can't use PowerShell to add session hosts to a host pool with a session host configuration.
+You can use the Azure portal to specify the number of session hosts you want to add, then Azure Virtual Desktop automatically creates them based on the session host configuration. At this time, you can't use PowerShell to add session hosts to a host pool with a session host configuration.
+
+> [!NOTE]
+>[Diagnostics for host pools using a session host configuration](https://learn.microsoft.com/en-us/azure/virtual-desktop/session-host-update-diagnostics) are recorded with Log Analytics in Azure Monitor and won't be available in your ARM deployments history. We recommended that you [enable Log Analytics](https://learn.microsoft.com/en-us/azure/virtual-desktop/diagnostics-log-analytics) for any host pool using a session host configuration.
 
 Here's how to add session hosts:
 
@@ -193,9 +193,25 @@ Here's how to add session hosts:
 
 1. On the host pool overview, select **Session hosts**, then select **+ Add**.
 
-1. For **Number of session hosts to be added**, enter the number of session hosts you want to create. If you want to review the session host configuration that is used, see **View session host configuration**. To edit the session host configuration, see [Schedule an update and edit session host configuration](session-host-update-configure.md#schedule-an-update-and-edit-a-session-host-configuration). 
+1. For **Number of session hosts to be added**, enter the number of session hosts you want to create. If you want to review the session host configuration that is used, see **View session host configuration**. To edit the session host configuration, see [Schedule an update and edit session host configuration](session-host-update-configure.md#schedule-an-update-and-edit-a-session-host-configuration).
+
+1. Confirm that the calculated total host pool size reflects your desired quantity of session hosts.
+
+1. Optionally change the failed session host cleanup policy or drain mode policy.
 
 1. Select **Add**. The number of session hosts you entered is created and added to the host pool.
+
+### Cancel in-progress session host creation
+
+You can cancel in-progress session host creation using the Azure portal. Session hosts that are in the process of being created can't be cancelled.
+
+Here's how to cancel session host creation:
+
+1. Return to the host pool overview where session host creation is in progress.
+
+1. On the host pool overview, select **Session hosts**, then select **Cancel**.
+
+1. Review the message providing cancellation details, then select **Confirm**.
 ::: zone-end
 
 ::: zone pivot="host-pool-standard"
 
@@ -34,7 +34,7 @@ You can deploy Microsoft Entra joined VMs directly from the Azure portal when yo
 
 After you've created your host pool, you must assign users access to their resources. To grant access to resources, add each user to the application group. Follow the instructions in [Manage application groups](manage-app-groups.md) to assign user access to apps and desktops. We recommend that you use user groups instead of individual users wherever possible.
 
-For Microsoft Entra joined VMs, you'll need to do two extra things on top of the requirements for Active Directory or Microsoft Entra Domain Services-based deployments:  
+For Microsoft Entra joined VMs in host pools without a session host configuration, you need to do two extra things on top of the requirements for Active Directory or Microsoft Entra Domain Services-based deployments. For host pools using a session host configuration, this additional role assignment is not required.
 
 - Assign your users the **Virtual Machine User Login** role so they can sign in to the VMs.
 - Assign administrators who need local administrative privileges the **Virtual Machine Administrator Login** role.
 
@@ -48,78 +48,65 @@ For more information on the terminology used in this article, see [Azure Virtual
 
 ::: zone pivot="host-pool-session-host-configuration"
 Review the [Prerequisites for Azure Virtual Desktop](prerequisites.md) for a general idea of what's required and supported, such as operating systems (OS), virtual networks, and identity providers. It also includes a list of the [supported Azure regions](prerequisites.md#azure-regions) in which you can deploy host pools, workspaces, and application groups. This list of regions is where the *metadata* for the host pool can be stored. However, session hosts can be located in any Azure region. For more information about the types of data and locations, see [Data locations for Azure Virtual Desktop](data-locations.md).
-::: zone-end
-
-::: zone pivot="host-pool-standard"
-For a general idea of what's required and supported, such as operating systems (OSs), virtual networks, and identity providers, review [Prerequisites for Azure Virtual Desktop](prerequisites.md). That article also includes a list of the [supported Azure regions](prerequisites.md#azure-regions) in which you can deploy host pools, workspaces, and application groups. This list of regions is where the *metadata* for the host pool can be stored. However, session hosts can be located in any Azure region and on-premises with [Azure Local](azure-stack-hci-overview.md). For more information about the types of data and locations, see [Data locations for Azure Virtual Desktop](data-locations.md).
-::: zone-end
-
-For more prerequisites, including role-based access control (RBAC) roles, select the relevant tab for your scenario.
-
-::: zone pivot="host-pool-session-host-configuration"
-# [Azure portal](#tab/portal-session-host-configuration)
 
 In addition to the general prerequisites, you need:
 
 - The Azure account you use to create a host pool must have the following built-in role-based access control (RBAC) roles or equivalent as a minimum on the resource group or subscription to create the following resource types. If you want to assign the roles to a resource group, you need to create this first.
 
-   | Resource type | RBAC role |
-   |--|--|
-   | Host pool, workspace, and application group | [Desktop Virtualization Contributor](rbac.md#desktop-virtualization-contributor) |
-   | Session hosts (Azure) | [Virtual Machine Contributor](../role-based-access-control/built-in-roles.md#virtual-machine-contributor) |
+   | Resource type | RBAC role | Scope |
+   |--|--|--|
+   | Host pool, workspace, and application group | [Desktop Virtualization Contributor](rbac.md#desktop-virtualization-contributor) | Resource group or subscription |
+   | Session hosts (Azure) | [Virtual Machine Contributor](../role-based-access-control/built-in-roles.md#virtual-machine-contributor) | Resource group or subscription |
+   | Key Vault | [Key Vault Secrets User](../role-based-access-control/built-in-roles.md#key-vault-secrets-user) | Key vault containing local and/or domain credentials|
 
    For ongoing management of host pools, workspaces, and application groups, you can use more granular roles for each resource type. For more information, see [Built-in Azure RBAC roles for Azure Virtual Desktop](rbac.md).
 
-- Assign the Azure Virtual Desktop service principal the [**Desktop Virtualization Virtual Machine Contributor**](rbac.md#desktop-virtualization-virtual-machine-contributor) role-based access control (RBAC) role on the resource group or subscription with the host pools and session hosts you want to use with session host update. For more information, see [Assign Azure RBAC roles or Microsoft Entra roles to the Azure Virtual Desktop service principals](service-principal-assign-roles.md).
-
-- A key vault containing the secrets you want to use for your virtual machine local administrator account credentials and, if you're joining session hosts to an Active Directory domain, your domain join account credentials. You need one secret for each username and password.
-
-   - You need to provide the Azure Virtual Desktop service principal the ability to read the secrets. Your key vault can be configured to use either:
-
-      - [The Azure RBAC permission model](/azure/key-vault/general/rbac-guide) with the custom role you created assigned to the Azure Virtual Desktop service principal.
-
-      - [An access policy](/azure/key-vault/general/assign-access-policy) with the *Get* secret permission assigned to the Azure Virtual Desktop service principal.
-
-   - The key vault must allow [Azure Resource Manager for template deployment](../azure-resource-manager/managed-applications/key-vault-access.md#enable-template-deployment).
+- If you're joining session hosts to an Active Directory domain or using [Microsoft Entra hybrid join](/entra/identity/devices/concept-hybrid-join) you need additional permissions:
 
-- An Active Directory domain that you can join session hosts to. Joining session hosts to Microsoft Entra ID isn't supported, but you can use [Microsoft Entra hybrid join](/entra/identity/devices/concept-hybrid-join).
+   - If you're joining session hosts to a Microsoft Entra Domain Services domain, you need to be a member of the [*AAD DC Administrators* group](../active-directory-domain-services/tutorial-create-instance-advanced.md#configure-an-administrative-group).
 
-- Don't disable [Windows Remote Management](/windows/win32/winrm/about-windows-remote-management) (WinRM) when creating session hosts using the Azure portal, as [PowerShell DSC](/powershell/dsc/overview) requires it.
+   - If you're joining session hosts to an Active Directory Domain Services (AD DS) domain, you need to use an account with more permissions than typically required for joining a domain because the new OS image reuses the existing computer object. The permissions and properties in the following table need to be applied to the account on the Organizational Unit (OU) containing your session hosts:
 
-# [Azure PowerShell](#tab/powershell-session-host-configuration)
-
-In addition to the general prerequisites, you need:
-
-- The Azure account you use to create a host pool must have the following built-in role-based access control (RBAC) roles or equivalent as a minimum on the resource group or subscription to create the following resource types. If you want to assign the roles to a resource group, you need to create this first.
-
-   | Resource type | RBAC role |
-   |--|--|
-   | Host pool, workspace, and application group | [Desktop Virtualization Contributor](rbac.md#desktop-virtualization-contributor) |
-   | Session hosts (Azure) | [Virtual Machine Contributor](../role-based-access-control/built-in-roles.md#virtual-machine-contributor) |
+      | Name | Type | Applies to |
+      |--|--|--|
+      | Reset password | Allow | Descendant Computer objects |
+      | Validated write to DNS host name | Allow | Descendant Computer objects |
+      | Validated write to service principal name | Allow | Descendant Computer objects |
+      | Read account restrictions | Allow | Descendant Computer objects |
+      | Write account restrictions | Allow | Descendant Computer objects |
 
-   For ongoing management of host pools, workspaces, and application groups, you can use more granular roles for each resource type. For more information, see [Built-in Azure RBAC roles for Azure Virtual Desktop](rbac.md).
+      Beginning with [KB5020276](https://support.microsoft.com/help/5020276), further protections were introduced for the reuse of computer accounts in an Active Directory domain. To successfully reuse the existing computer object for the session host, either:
 
-- Assign the Azure Virtual Desktop service principal the [**Desktop Virtualization Virtual Machine Contributor**](rbac.md#desktop-virtualization-virtual-machine-contributor) role-based access control (RBAC) role on the resource group or subscription with the host pools and session hosts you want to use with session host update. For more information, see [Assign Azure RBAC roles or Microsoft Entra roles to the Azure Virtual Desktop service principals](service-principal-assign-roles.md).
+      - The user account joining the session host to the domain is the creator of the existing computer account.
+      - The computer account was created by a member of the domain administrators security group.
+      - Apply the Group Policy setting `Domain controller: Allow computer account re-use during domain join` to the owner of the computer account. For more information on the scope of this setting, see [KB5020276](https://support.microsoft.com/help/5020276).
 
 - A key vault containing the secrets you want to use for your virtual machine local administrator account credentials and, if you're joining session hosts to an Active Directory domain, your domain join account credentials. You need one secret for each username and password. The virtual machine local administrator password must meet the [password requirements when creating a VM](/azure/virtual-machines/windows/faq#what-are-the-password-requirements-when-creating-a-vm-).
 
-   - You need to provide the Azure Virtual Desktop service principal the ability to read the secrets. Your key vault can be configured to use either:
+   - Provide the Azure Virtual Desktop service principal the ability to read the secrets. See [Assign Azure RBAC roles or Microsoft Entra roles to the Azure Virtual Desktop service principals](service-principal-assign-roles.md) to make sure you're using the correct service principal. Your key vault can be configured to use either:
 
-      - [The Azure RBAC permission model](/azure/key-vault/general/rbac-guide) with the custom role you created assigned to the Azure Virtual Desktop service principal.
+      - [The Azure RBAC permission model](/azure/key-vault/general/rbac-guide) with the role [Key Vault Secrets User](../role-based-access-control/built-in-roles.md#key-vault-secrets-user) assigned to the Azure Virtual Desktop service principal.
 
       - [An access policy](/azure/key-vault/general/assign-access-policy) with the *Get* secret permission assigned to the Azure Virtual Desktop service principal.
 
-   - The key vault must allow [Azure Resource Manager for template deployment](../azure-resource-manager/managed-applications/key-vault-access.md#enable-template-deployment).
+   - Configure the key vault access configuration to allow [Azure Resource Manager for template deployment](../azure-resource-manager/managed-applications/key-vault-access.md#enable-template-deployment).
+
+   - Configure the key vault network settings to [Allow public access from all networks](/azure/key-vault/general/how-to-azure-key-vault-network-security).
+
+- For any custom configuration PowerShell scripts you specify in the session host configuration to run after an update, the URL to the script must be resolvable from the public internet.
 
 - Don't disable [Windows Remote Management](/windows/win32/winrm/about-windows-remote-management) (WinRM) when creating session hosts using the Azure portal, as [PowerShell DSC](/powershell/dsc/overview) requires it.
 
+### PowerShell prerequisites
 - If you want to use Azure PowerShell locally, see [Use Azure CLI and Azure PowerShell with Azure Virtual Desktop](cli-powershell.md) to make sure you have the [Az.DesktopVirtualization](/powershell/module/az.desktopvirtualization) PowerShell module installed. Alternatively, use the [Azure Cloud Shell](../cloud-shell/overview.md).
 
 - Azure PowerShell cmdlets for Azure Virtual Desktop that support host pools with a session host configuration are in preview. You need to download and install the [preview version of the Az.DesktopVirtualization module](https://www.powershellgallery.com/packages/Az.DesktopVirtualization/) to use these cmdlets, which are added in version 5.3.0.
+::: zone-end
 
-   > [!NOTE]
-   > You can't use PowerShell to add session hosts to a host pool with a session host configuration. You need to use the Azure portal to specify the number of session hosts you want to add, then Azure Virtual Desktop automatically creates them based on the session host configuration. 
+::: zone pivot="host-pool-standard"
+For a general idea of what's required and supported, such as operating systems (OSs), virtual networks, and identity providers, review [Prerequisites for Azure Virtual Desktop](prerequisites.md). That article also includes a list of the [supported Azure regions](prerequisites.md#azure-regions) in which you can deploy host pools, workspaces, and application groups. This list of regions is where the *metadata* for the host pool can be stored. However, session hosts can be located in any Azure region and on-premises with [Azure Local](azure-stack-hci-overview.md). For more information about the types of data and locations, see [Data locations for Azure Virtual Desktop](data-locations.md).
 
+For more prerequisites, including role-based access control (RBAC) roles, select the relevant tab for your scenario.
 ::: zone-end
 
 ::: zone pivot="host-pool-standard"