Configure AVD insights workbook template to monitor and troubleshoot AVD workloads across metrics, logs, events, and more. Both Production and DR workloads should be enabled with AVD Insights.
Click the Azure Resource Graph tab to view the query
//cannot-be-validated-with-arg
Ensure separate log analytics workspaces for Prod and DR
Impact:LowCategory:Disaster Recovery
APRL GUID:89b4d8f6-6345-4d66-9012-c3fc2aef94e8
Description:
Having separate Log Analytics ensures that your DR environment is fully operational for visibility of the metrics, performance, and other auditing tools your workload teams will rely on in the event of an incident.
Click the Azure Resource Graph tab to view the query
//under-development
Monitor and plan capacity for AVD resources
Impact:LowCategory:Disaster Recovery
APRL GUID:ef4b3561-c85f-47cf-8cb0-51fae9ddf929
Description:
Monitor and plan for subscription limits and API throttling limits. Keep track of resource usage within your subscription. Consider scaling across multiple subscriptions if further scaling is required.
To handle a large number of users, consider scaling horizontally by creating multiple host pools.
Click the Azure Resource Graph tab to view the query
//under-development
Ensure DNS regions are replicated to avoid single point of failure
Impact:HighCategory:High Availability
APRL GUID:e1a34ac6-8761-4020-b537-d60c0be7514e
Description:
Active Directory Domain Services (AD DS) integrated DNS/other should target Secondary/Tertiary customer DNS across multi-region zones. If using custom DNS, ensure there are redundant DNS servers to avoid a single point of failure.
Click the Azure Resource Graph tab to view the query
//under-development
Implement a multi-region BCDR Plan
Impact:HighCategory:Disaster Recovery
APRL GUID:0714d039-535e-468d-9732-e32b5c094faa
Description:
It is recommended to adopt a multi-region deployment (active-active or active-passive) for AVD. Each region should contain at least identity, name resolution, AVD management resources, and session hosts in case of a primary region outage.
Click the Azure Resource Graph tab to view the query
//under-development
Create only one FSLogix file share per Storage Account
Impact:MediumCategory:Scalability
APRL GUID:ed1f0327-0914-49e8-9518-16acb0d6b8d6
Description:
To maximize capacity and performance scaling it is recommended to creat only one file share per Azure files storage account, with this approach the single file share will be able to grow to the maximum capacities of the storage account.
Click the Azure Resource Graph tab to view the query
//cannot-be-validated-with-arg
Create a dedicated FSLogix file share and setup per host pool
Impact:MediumCategory:Scalability
APRL GUID:ff916698-7507-4519-b545-c94dd81d73c5
Description:
To maximize capacity and performance scaling of the file share service and avoid user's profile contention, it is recommended to create one file share target and FSLogix setup per host pool.
Click the Azure Resource Graph tab to view the query
//under-development
Enable Azure backup for FSLogix storage account file shares
Impact:MediumCategory:High Availability
APRL GUID:0025ed2e-41f4-4ada-93c1-12484cef8b0c
Description:
It is recommended to enable backup on the FSLogix Storage Account. Ensuring the user profiles are resilient will allow user data and experience to be consistent through outages.
Click the Azure Resource Graph tab to view the query
//under-development
Implement RDP shortpath for public or managed networks
Impact:MediumCategory:Other Best Practices
APRL GUID:3835b4b3-0479-4be8-9ffd-34ae29fa33b9
Description:
RDP Shortpath establishes a direct UDP-based connection between a client and the session host. By default, RDP tries to use UDP and falls back to TCP if needed. UDP transport offers better connection reliability and consistent latency.
Click the Azure Resource Graph tab to view the query
//under-development
Ensure AVD session hosts connect to control plane & allow UDP ports for RDP shortpath
Impact:MediumCategory:Governance
APRL GUID:e718ac1a-ebab-4f75-9e4a-1a5ccef20d1f
Description:
Ensure AVD session hosts can communicate with the AVD control plane and that UDP ports are open if used. Validate VM connectivity to the AVD Control Plane and confirm UDP TURN port accessibility. Whitelist global URLs and ensure UDP/TURN ports are open for smooth user connections.
Click the Azure Resource Graph tab to view the query
//cannot-be-validated-with-arg
Ensure secondary Entra ID connect synchronization server
Impact:LowCategory:Security
APRL GUID:d984eaf9-0fa1-4f8d-a326-bda751993c6f
Description:
Hybrid - Entra ID Connect best to run in Azure but can be hosted on-prem. Secondary or more VMs should be setup in staging mode in event of failover.
Set up secondary server in staging mode for Entra Connect for syncing to Entra in case of primary server outage.
Click the Azure Resource Graph tab to view the query
//under-development
Ensure virtual networks have route tables/route server configured for all regions
Impact:MediumCategory:High Availability
APRL GUID:db1727d1-5c8e-4a01-a31e-f0d58cfd95b1
Description:
For high availability connections back to on-premises data centers should consider backup paths across the regions that have been utilized. Ensure redundancy in routing by having a secondary route table in the secondary region.
Click the Azure Resource Graph tab to view the query
//under-development
Ensure virtual networks isolation with separate IP space and NSGs for Prod and DR
Impact:MediumCategory:Business Continuity
APRL GUID:37d1091b-e599-4548-a067-a9286be16e45
Description:
NSG and ASG per AVD persona and IP space per Prod/DR regions. Plan IP addressing to avoid overlaps between on-premises and Azure regions, preventing major contention challenges.
Click the Azure Resource Graph tab to view the query
//under-development
Configure static routes for session hosts to directly access the AVD control plane subnet
Impact:MediumCategory:Other Best Practices
APRL GUID:1c6c97d7-4d03-4f53-985d-fa239f715173
Description:
Ensure Route Tables have static routes for session host traffic targeting the AVD control plane to go directly to the internet (next hop). This avoids delays from additional hops or inspections in trusted traffic communication.
Click the Azure Resource Graph tab to view the query
//under-development
Create updated image version and replace session hosts rather than updating host directly
Impact:LowCategory:Governance
APRL GUID:2831dab9-6a43-44a1-8aec-90a8e84894bc
Description:
Establish a process for handling image updates in your AVD environment. Instead of updating session hosts directly, create a new version of the updated image. This involves creating and configuring a golden image with the necessary updates and configurations.
Click the Azure Resource Graph tab to view the query
//under-development
Ensure the standard FSLogix configuration is deployed
Impact:MediumCategory:Governance
APRL GUID:c15b2b73-52a1-4db2-88dd-d592424ff4e4
Description:
Ensure all session hosts have the standard FSLogix configuration deployed. Regularly validate settings for consistency and alignment with best practices.
Click the Azure Resource Graph tab to view the query
//cannot-be-validated-with-arg
Ensure user permissions are set correctly on FSLogix SMB shares
Impact:MediumCategory:Security
APRL GUID:7b170ddd-5770-4945-9bc3-cd1ccf5f8672
Description:
Verify user permissions are correctly set on SMB shares so that users have appropriate access to only their own profile and not other user profiles, while administrators have full access at the root volume. Also ensure secondary storage path permissions are set in case of a DR event.
Click the Azure Resource Graph tab to view the query
//cannot-be-validated-with-arg
Configure Diagnostic Settings on FSLogix storage and capture session hosts FSLogix events
Impact:MediumCategory:Monitoring and Alerting
APRL GUID:483f5a00-84a0-49f7-903b-ef6f1fc0c389
Description:
Configure diagnostic settings on FSLogix storage and regularly monitor its metrics and logs for errors. While events can be reviewed locally on the Session Host, it is recommended to use AVD insights workbook to consolidate this information into a Log Analytics workspace.
Click the Azure Resource Graph tab to view the query
//under-development
Manually install FSLogix updates
Impact:LowCategory:Governance
APRL GUID:d51e0a70-8b50-4be3-af8a-7c9065e47360
Description:
Ensure a process to regularly check and update FSLogix agent. Upgrade to the latest version promptly to address bugs and meet support requirements. FSLogix releases hotfixes to resolve issues impacting deployments. Keeping FSLogix updated is crucial for support and reliability.
Click the Azure Resource Graph tab to view the query
//under-development
Turn on continuous availability for ANF
Impact:MediumCategory:High Availability
APRL GUID:9b2301af-9cac-4f1a-871a-f17475d01812
Description:
Turn on Continuous Availability if using Azure Netapp Files.
Verify the number of users connecting to each file share to make sure the SMB path can handle the number of file connections.
Click the Azure Resource Graph tab to view the query
//under-development
Use dedicated file share for App attach and include the storage in the disaster recovery plan
Impact:MediumCategory:Disaster Recovery
APRL GUID:7d9c96a6-1ce5-4cf0-ad1b-638a37f753cb
Description:
App Attach packages should be on a separate share from profiles and backed up. Requirements vary based on the number of packaged applications. Test your applications to understand your needs. Ensure the file share is in the same Azure region as your session hosts.
Click the Azure Resource Graph tab to view the query
//under-development
Ensure resilient deployment of key vaults for AVD Host Pools
Impact:HighCategory:Disaster Recovery
APRL GUID:1f57434f-f884-41f3-b818-129bbe3c5d3b
Description:
To ensure continuous availability and disaster recovery readiness, provision a secondary Key Vault in a secondary region. In case of a primary region failure, the secondary Key Vault will ensure critical secrets remain accessible for deployments in the secondary region.
Click the Azure Resource Graph tab to view the query
//under-development
Deploy multiple domain controllers across availability zones in each region with AVD session hosts.
Impact:HighCategory:Disaster Recovery
APRL GUID:d61f6ee8-de1b-4fd9-9ce3-316cfe11ee05
Description:
Deploy multiple domain controllers on Azure VMs across availability zones with AVD session hosts. This removes on-premises dependencies and improves performance with a shorter authentication path. This doesn't apply to Microsoft Entra ID or Entra Domain Services joined session hosts.
Click the Azure Resource Graph tab to view the query
//under-development
Deploy two or more DNS servers across availability zones in each region with AVD session hosts.
Impact:HighCategory:High Availability
APRL GUID:99bf5c94-aa68-4bb3-8b7f-45d1c5f09b5d
Description:
Deploy custom DNS servers on Azure VMs across availability zones in the same region as session hosts. This removes on-premises dependencies and improves performance by shortening the name resolution path.