Field note
AVD Least Privilege with Intune EPM
Virtual desktops still need endpoint discipline. The mistakes are just concentrated onto fewer hosts, with more users sharing the blast radius.
Azure Virtual Desktop does not make endpoint privilege simpler. It changes the shape of the problem.
If too many people can install software, run elevated tools, or bypass controls on session hosts, the risk is still there. In some ways it is worse, because one untidy host can affect a lot of users.
The basic rule is straightforward: treat session hosts like shared production endpoints, not convenient throwaway machines.
What the platform supports today
Microsoft recommends Intune for managing Azure Virtual Desktop, and Windows Enterprise multi-session support in Intune is now generally available for Azure Virtual Desktop. That is useful because it means policy, compliance direction, and application control can live in a proper operating model instead of scripts held together by habit.
There are still caveats:
- token roaming needs care in multi-session designs
- cloned enrolled images create trouble
- not every control that works fine on physical endpoints behaves the same on VDI
That last point matters. Microsoft states that the Defender for Endpoint security baseline is optimized for physical devices and is not currently recommended for VMs or VDI endpoints.
A sensible least-privilege baseline
| Area | Baseline |
|---|---|
| User privilege | Standard user by default |
| Admin access | Named admin groups only |
| App install path | Packaging process, not ad hoc installs |
| Elevation | Approved flow for supported tasks only |
| Logging | Security and elevation events reviewed |
| Image lifecycle | Build, test, release, retire |
The goal is to keep changes predictable. Shared hosts get messy quickly when every exception turns into a local tweak.
Where EPM fits, and where caution fits
Endpoint Privilege Management can be part of the answer on supported Windows endpoints, but do not design the whole AVD privilege model around assumptions. Validate your host type, user profile design, and app behavior in a pilot first.
In practice, the cleanest model usually looks like this:
- package and preapprove what can be packaged
- keep day-to-day users as standard users
- reserve true admin access for named support or engineering roles
- use elevation only for the gaps that genuinely need it
If every awkward app turns into a privilege exception, the host pool will drift fast.
Practical rollout
- Build a non-production host pool from the same image strategy you plan to use in production.
- Enroll and manage the hosts with Intune.
- Apply only the controls you can explain and support in a shared-session design.
- Test business apps, updates, and user profile behavior.
- Remove broad standing admin access.
- Add narrow elevation paths or packaging fixes for known blockers.
- Review support tickets, failures, and noisy controls before rollout wider.
- Document what is different on AVD compared with physical endpoints.
Mistakes worth avoiding
Do not make every user a local admin "because it is only AVD".
Do not assume a baseline built for physical endpoints belongs on every shared virtual host.
Do not let vendors keep permanent privileged accounts on session hosts with no review date.
Do not skip logs because hosts are rebuilt often. Rebuilds are not evidence.
Good AVD operations are not flashy. They are consistent, documented, and resistant to one-off admin shortcuts.
If the host pool depends on tribal knowledge, it is already too fragile.
References
Related notes
05 Feb 2026 · 3 min
Endpoint Privilege Management
Related: intune, endpoint privilege management, local admin.
09 Apr 2026 · 3 min
Intune Policy Conflict Map: Baselines, Settings Catalog and Endpoint Security
Related: intune, endpoint security, settings catalog.
06 Apr 2026 · 3 min
Intune Mobile Passkeys and Credential Provider: Small Change, Useful Control
Related: intune, passkeys, android.
Need help mapping this to your own tenant, controls, or assessment timeline?