avd_checklist.en.json

{
    "items": [
        {
            "category": "Business Continuity and Disaster Recovery",
            "subcategory": "Compute",
            "text": "Determine the expected High Availability SLA for applications/desktops published through AVD",
            "description": "AVD control plane does not offer a financially backed service level agreement. We strive to attain at least 99.9% availability for the Azure Virtual Desktop service URLs. The availability of the session host virtual machines in your subscription is covered by the Virtual Machines SLA. Dependent resources/services and infrastructure availability must be also considered to properly satisfy global high-availability requirements.",
            "waf": "Reliability",
            "guid": "56c57ba5-9119-4bf8-b8f5-c586c7d9cdc1",
            "id": "A01.01",
            "severity": "High",
            "link": "https://azure.microsoft.com/support/legal/sla/virtual-desktop/v1_0/"
        },
        {
            "category": "Business Continuity and Disaster Recovery",
            "subcategory": "Compute",
            "text": "Assess Geo Disaster Recovery requirements for AVD Host Pools",
            "description": "'Active-Active' model can be achieved with multiple host pools in different regions. A single Host Pool with VMs from different regions is not recommended. If multiple pools for same users will be used, the problem of how to synchronize/replicate user profiles must be solved. FSLogix Cloud Cache could be used, but need to be carefully reviewed and planned, or customers can decide to do not synchronize/replicate at all. 'Active-Passive' can be achieved using Azure Site Recovery (ASR) or on-demand Pool deployment with automated mechanism. For a detailed discussion on multi-region BCDR, please read the companion article in the 'More Info' column and this FSLogix related page: https://learn.microsoft.com/fslogix/concepts-container-recovery-business-continuity.",
            "waf": "Reliability",
            "guid": "6acc076e-f9b1-441a-a989-579e76b897e7",
            "id": "A01.02",
            "severity": "Medium",
            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/azure-virtual-desktop-multi-region-bcdr"
        },
        {
            "category": "Business Continuity and Disaster Recovery",
            "subcategory": "Compute",
            "text": "Separate critical applications in different AVD Host Pools",
            "description": "Before approaching Azure Virtual Desktop BCDR planning and design, it is important to initially consider which applications consumed through AVD are critical. You may want to separate them from non-critical apps and use a separate Host Pool with a different disaster recovery approach and capabilities.",
            "waf": "Reliability",
            "guid": "10a7da7b-e996-46e1-9d3c-4ada97cc3d13",
            "id": "A01.03",
            "severity": "Low",
            "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery"
        },
        {
            "category": "Business Continuity and Disaster Recovery",
            "subcategory": "Compute",
            "text": "Plan the best resiliency option for AVD Host Pool deployment",
            "description": "Each Host Pool can be deployed using Availability Zones (AZ) or Availability Set (AS). To maximize resiliency, usage of AZ is recommended: at Host Pool creation time you can decide to spread Host Pool Session Hosts across all available AZ. Usage of AS will not protect from single datacenter failure, then should be used only in regions where AZ are not available. More details on AZ and AVD in the companion article. For a comparison between AZ and AS you can read here: https://learn.microsoft.com/azure/virtual-machines/availability.",
            "waf": "Reliability",
            "guid": "25ab225c-6f4e-4168-9fdd-dea8a4b7cdeb",
            "id": "A01.04",
            "severity": "High",
            "link": "https://techcommunity.microsoft.com/t5/azure-virtual-desktop-blog/announcing-general-availability-of-support-for-azure/ba-p/3636262"
        },
        {
            "category": "Business Continuity and Disaster Recovery",
            "subcategory": "Compute",
            "text": "Assess the requirement to backup AVD Session Host VMs",
            "description": "Azure Backup can be used to protect Host Pool VMs. For Pooled Pools, this is not necessary since should be stateless. Instead, this option can be considered for Personal Host Pools.",
            "waf": "Reliability",
            "guid": "4c61fc3f-c14e-4ea6-b69e-8d9a3eec218e",
            "id": "A01.05",
            "severity": "Medium",
            "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery"
        },
        {
            "category": "Business Continuity and Disaster Recovery",
            "subcategory": "Compute",
            "text": "Prepare a local DR strategy for Personal Host Pool Session Hosts",
            "description": "Even for Personal Pools, usage of Availability Zones, when available, is recommended. Three possible in-region DR strategies are possible, it is recommended to select the best one based on cost, RTO/RPO, and if it is really necessary to save the entire VM OS disk: (1) create each session host in a specific zone (AZ) and then use Azure Site Recovery (ASR) to replicate to a different zone. (2) Use Azure Backup to backup and restore the specific session host in a different AZ. (3) Create a new session host in a different AZ and rely on FSLogix and/or OneDrive to make data and settings available on the new machine. All options require administrator intervention for DR and direct user assignment at Host Pool level, then must be planned and configured in advance.",
            "waf": "Reliability",
            "guid": "5da58639-ca3a-4961-890b-29663c5e10d",
            "id": "A01.06",
            "severity": "Medium",
            "link": "https://learn.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-zone-to-zone-disaster-recovery"
        },
        {
            "category": "Business Continuity and Disaster Recovery",
            "subcategory": "Dependencies",
            "text": "Plan for Golden Image cross-region availability",
            "description": "If custom images are used to deploy AVD Host Pool VMs, it is important to ensure those artifacts are available in all regions where AVD is deployed. Azure Compute Gallery service can be used to replicate images across all regions where a Host Pool is deployed, with redundant storage and in multiple copies. Please be aware that the Azure Compute Gallery service isn't a global resource. For disaster recovery scenarios, the best practice is to have at least two galleries, in different regions.",
            "waf": "Reliability",
            "guid": "dd2e0d5d-771d-441e-9610-cc57b4a4a141",
            "id": "A02.01",
            "severity": "Low",
            "link": "https://learn.microsoft.com/azure/virtual-machines/azure-compute-gallery"
        },
        {
            "category": "Business Continuity and Disaster Recovery",
            "subcategory": "Dependencies",
            "text": "Assess Infrastructure & Application dependencies ",
            "description": "If users of the AVD infrastructure need on-premises resource access, high availability of network infrastructure required to connect is also critical and should be considered. Resiliency of authentication infrastructure needs to be assessed and evaluated. BCDR aspects for dependent applications and other resources need to be considered to ensure availability in the secondary DR location.",
            "waf": "Reliability",
            "guid": "fd339489-8c12-488b-9c6a-57cfb644451e",
            "id": "A02.02",
            "severity": "Medium",
            "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery"
        },
        {
            "category": "Business Continuity and Disaster Recovery",
            "subcategory": "Storage",
            "text": "Assess which data need to be protected in the Profile and Office Containers",
            "description": "Not all data inside FSLogix user profiles may deserve protection from disaster. Additionally, if external storage is used, for example OneDrive or File Servers/Shares, what is remaining in the FSLogix profile is minimal and could be lost in some extreme circumstances. In other cases, data inside the profile can be rebuilt from other storages (for example Outlook Inbox in cached mode).",
            "waf": "Reliability",
            "guid": "687ab077-adb5-49e5-a960-3334fdf8cc23",
            "id": "A03.01",
            "severity": "Medium",
            "link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt"
        },
        {
            "category": "Business Continuity and Disaster Recovery",
            "subcategory": "Storage",
            "text": "Build a backup protection strategy for Profile and Office Containers",
            "description": "Preventing data loss for critical user data is important, first step is to assess which data need to be saved and protected. If using OneDrive or other external storage, saving user Profile and/or Office Containers data maybe not necessary. Appropriate mechanism must be considered to provide protection for critical user data. Azure Backup service can be used to protect Profile and Office Containers data when stored on Azure Files Standard and Premium tiers. Azure NetApp Files Snapshots and Policies can be used for Azure NetApp Files (all tiers).",
            "waf": "Reliability",
            "guid": "fc4972cc-3cd2-45bf-a707-6e9eab4bed32",
            "id": "A03.02",
            "severity": "Medium",
            "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery"
        },
        {
            "category": "Business Continuity and Disaster Recovery",
            "subcategory": "Storage",
            "text": "Assess Profile Container storage replication requirements and resiliency for BCDR purpose",
            "description": "In AVD, multiple replication mechanisms and strategies can be used for user data residing in FSLogix containers: [Profile Pattern #1]: Native Azure storage replication mechanisms, for example Azure Files Standard GRS replication, Azure NetApp Files Cross Region Replication. Use Zone Replicated Storage (ZRS) or Geo replicated storage (GRS) for Azure Files is recommended. LRS with local-only resiliency can be used if no zone/region protection is required. NOTE: Azure Files Share Standard is LRS/ZRS/GRS, but with 100TB large support enabled only LRS/ZRS are supported. [Profile Pattern #2]: FSLogix Cloud Cache is built in automatic mechanism to replicate containers between different (up to 4) storage accounts. Cloud Cache should be used only when:(1) User Profile or Office containers data availability required high-availability SLA is critical and need to be resilient to region failure. (2) Selected storage option is not able to satisfy BCDR requirements. For example, with Azure File Share Premium tier, or Azure File Share Standard with Large File Support enabled, GRS is not available. (3) When replication between disparate storage is required. [Profile Pattern #3]: Only set up geo disaster recovery for application data and not for user data/profile containers: store important application data in separate storages, like OneDrive or other external storage with its own built-in DR mechanism.",
            "waf": "Reliability",
            "guid": "9f7547c1-746d-4c56-868a-714435bd09dd",
            "id": "A03.03",
            "severity": "Medium",
            "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery"
        },
        {
            "category": "Business Continuity and Disaster Recovery",
            "subcategory": "Storage",
            "text": "Review Azure Files disaster recovery strategy",
            "description": "For local disaster recovery, Azure Backup for Azure Files can be used. For cross-region geo disaster recovery: GRS for Azure Files is only available with standard SKU and no large share support, then not suitable in most customer scenarios. If geo-replication is required with Azure File Share Premium, replication with FSLogix Cloud Cache can be evaluated, or 'in-region' Availability Zone (AZ) only resiliency should be considered.",
            "waf": "Reliability",
            "guid": "3d4f3537-c134-46dc-9602-7a71efe1bd05",
            "id": "A03.04",
            "severity": "Medium",
            "link": "https://docs.microsoft.com/azure/backup/backup-afs"
        },
        {
            "category": "Business Continuity and Disaster Recovery",
            "subcategory": "Storage",
            "text": "Use Zone Redundant Storage (ZRS) for Azure Files to maximize resiliency",
            "description": "Zone Redundant Storage will maximize in-region resiliency for the user profile data. ZRS is supported for premium file shares through the 'FileStorage' storage account kind. ZRS is supported in standard general-purpose v2 storage accounts. Usage of zone redundant storage must be paired with zone redundant deployment of Session Hosts in each Host Pool. ",
            "waf": "Reliability",
            "guid": "10d4e875-d502-4142-a795-f2b6eff34f88",
            "id": "A03.05",
            "severity": "High",
            "link": "https://learn.microsoft.com/azure/storage/files/files-redundancy#zone-redundant-storage"
        },
        {
            "category": "Business Continuity and Disaster Recovery",
            "subcategory": "Storage",
            "text": "Review Azure NetApp Files disaster recovery strategy",
            "description": "For local disaster recovery, Azure NetApp Files (ANF) native backup is available. ANF is essentially locally redundant, then for cross-region geo disaster recovery it is necessary to use an additional mechanism that is Cross-Region Replication (CRR) https://learn.microsoft.com/azure/azure-netapp-files/cross-region-replication-create-peering. Currently, ANF does not provide replication nor redundancy across different Availability Zones (AZ), only the possibility to select in which single AZ to place the ANF volume: https://learn.microsoft.com/azure/azure-netapp-files/manage-availability-zone-volume-placement.",
            "waf": "Reliability",
            "guid": "23429db7-2281-4376-85cc-57b4a4b18142",
            "id": "A03.06",
            "severity": "Medium",
            "link": "https://learn.microsoft.com/azure/azure-netapp-files/cross-region-replication-create-peering"
        },
        {
            "category": "Compute",
            "subcategory": "Golden Images",
            "text": "Determine how applications will be deployed in AVD Host Pools",
            "description": "Applications can be preinstalled in the golden image/s, can be attached using MSIX & AppAttach feature or distributed to the session hosts after host pool deployment using traditional software distribution methods.",
            "waf": "Operations",
            "guid": "86ba2802-1459-4014-95d3-8e5309ccbd97",
            "id": "B01.01",
            "severity": "High",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image"
        },
        {
            "category": "Compute",
            "subcategory": "Golden Images",
            "text": "Estimate the number of golden images that will be required",
            "description": "Multiple golden images can be required to support different OS versions and/or settings, different groups of applications that must be separated and cannot be included in a single image.",
            "waf": "Operations",
            "guid": "9266bcca-274f-4aa1-abf3-9d95d44c7c89",
            "id": "B01.02",
            "severity": "Medium",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image"
        },
        {
            "category": "Compute",
            "subcategory": "Golden Images",
            "text": "Determine which OS image/s you will use for Host Pool deployment",
            "description": "Determine which Guest OS will be used to deploy each Host Pool: Windows 10 vs. Windows Server, Marketplace vs. Custom images",
            "waf": "Reliability",
            "guid": "19ca1f6d-5315-4ae5-84ba-34d4585e2213",
            "id": "B01.03",
            "severity": "Medium",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#operating-systems-and-licenses"
        },
        {
            "category": "Compute",
            "subcategory": "Golden Images",
            "text": "Select the proper store for custom images",
            "description": "Azure VM custom images can be created and stored in different ways: in an Azure Compute Gallery, as a managed image object or as a managed disk in the storage. The recommended way is to use Azure Compute Gallery.",
            "waf": "Reliability",
            "guid": "5a2adb2c-3e23-426b-b225-ca44e1696fdd",
            "id": "B01.04",
            "severity": "Low",
            "link": "https://learn.microsoft.com/azure/virtual-machines/shared-image-galleries"
        },
        {
            "category": "Compute",
            "subcategory": "Golden Images",
            "text": "Design your build process for custom images",
            "description": "If custom images will be used, plan for an automated build process. If no pre-existing software factory exists, consider using Custom Image Templates and/or Azure Image Builder to automate the build process.",
            "waf": "Operations",
            "guid": "9bd7bb01-2f7b-495e-86e1-54e2aa359282",
            "id": "B01.05",
            "severity": "Low",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/create-custom-image-templates"
        },
        {
            "category": "Compute",
            "subcategory": "Golden Images",
            "text": "If custom image will be used, check recommended best practices for AVD on how to build custom image",
            "description": "There are some known best practices and recommendations for the golden image customization, be sure to check the referenced article.",
            "waf": "Operations",
            "guid": "deace4cb-1dec-44c6-90c3-fc14eebb36a3",
            "id": "B01.06",
            "severity": "Medium",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image"
        },
        {
            "category": "Compute",
            "subcategory": "Golden Images",
            "text": "Include the latest version of FSLogix in the golden image update process",
            "description": "FSLogix stack installed in AVD session hosts does not provide auto-update capability. For this reason, it is recommended to download the latest version of FSLogix and include in the golden image update process.",
            "waf": "Reliability",
            "guid": "ed5c9027-dd1a-4343-86ca-52b199223186",
            "id": "B01.07",
            "severity": "High",
            "link": "https://learn.microsoft.com/fslogix/how-to-install-fslogix"
        },
        {
            "category": "Compute",
            "subcategory": "Golden Images",
            "text": "Evaluate the usage of Virtual-Desktop-Optimization-Tool",
            "description": "This tool-set has been created to automatically apply setting referenced in white paper 'Optimizing Windows 10, version 2004 for a Virtual Desktop Infrastructure (VDI) role': https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004. Usage of the tool and/or optimizations mentioned in the white-paper should be considered. ",
            "waf": "Performance",
            "guid": "829e3fec-2183-4687-a017-7a2b5945bda4",
            "id": "B01.08",
            "severity": "Low",
            "link": "https://github.com/The-Virtual-Desktop-Team/Virtual-Desktop-Optimization-Tool"
        },
        {
            "category": "Compute",
            "subcategory": "Golden Images",
            "text": "Determine if Microsoft OneDrive will be part of AVD deployment",
            "description": "If OneDrive is used and included in a golden image, be sure to follow the configuration procedure reported in the companion article in the 'More Info' section. Not in scope in this AVD checklist, but OneDrive optimizations like 'Known Folder Redirection' and 'Files On-Demand' should be evaluated used to reduce the space used in FSLogix profiles and provide a better user experience. OneDrive today is not supported for Remote Apps.",
            "waf": "Operations",
            "guid": "e3d3e084-4276-4d4b-bc01-5bcf219e4a1e",
            "id": "B01.09",
            "severity": "Low",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/install-office-on-wvd-master-image#install-onedrive-in-per-machine-mode"
        },
        {
            "category": "Compute",
            "subcategory": "Golden Images",
            "text": "Determine if Microsoft Teams will be part of AVD deployment",
            "description": "Be sure to review the requirements and configuration procedure contained in the companion article in the 'More Info' column. Since Teams automatic updates will be disabled, it is recommended to check and include Teams latest version in the golden image update process.",
            "waf": "Performance",
            "guid": "b5887953-5d22-4788-9d30-b66c67be5951",
            "id": "B01.10",
            "severity": "Low",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/teams-on-AVD"
        },
        {
            "category": "Compute",
            "subcategory": "Golden Images",
            "text": "Assess the requirement to support multiple languages",
            "description": "AVD can support users with different language and localization requirements in the same host pool. This can be done customizing golden images to ensure users can select whichever language they need. The procedure to configure additional language packs in Windows 11 is documented in the reference article.",
            "waf": "Reliability",
            "guid": "7c336f3b-822a-498e-8cd1-667d1150df4a",
            "id": "B01.11",
            "severity": "Low",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/windows-11-language-packs"
        },
        {
            "category": "Compute",
            "subcategory": "MSIX & AppAttach",
            "text": "Do not use the same storage account/share as FSLogix profiles",
            "description": "It is highly recommended to use separate storage accounts/shares to store MSIX packages. If necessary, storage can scale out independently and not being impacted by profile I/O activities. Azure offers multiple storage options that can be used for MISX app attach. We recommend using Azure Files or Azure NetApp Files as those options offer the best value between cost and management overhead. ",
            "waf": "Performance",
            "guid": "90083845-c587-4cb3-a1ec-16a1d076ef9f",
            "id": "B02.01",
            "severity": "Medium",
            "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share"
        },
        {
            "category": "Compute",
            "subcategory": "MSIX & AppAttach",
            "text": "Review performance considerations for MSIX",
            "description": "In the referenced article, we reported few but important performance considerations for MSIX usage in AVD context, be sure to carefully review.",
            "waf": "Performance",
            "guid": "241addce-5793-477b-adb3-751ab2ac1fad",
            "id": "B02.02",
            "severity": "Medium",
            "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share"
        },
        {
            "category": "Compute",
            "subcategory": "MSIX & AppAttach",
            "text": "Check proper session host permissions for MSIX share",
            "description": "MSIX app attach requires read-only permissions to access the file share. If you're storing your MSIX applications in Azure Files, then for your session hosts, you'll need to assign all session host VMs both storage account role-based access control (RBAC) and file share New Technology File System (NTFS) permissions on the share.",
            "waf": "Security",
            "guid": "66e15d4d-5a2a-4db2-a3e2-326bf225ca41",
            "id": "B02.03",
            "severity": "Medium",
            "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share"
        },
        {
            "category": "Compute",
            "subcategory": "MSIX & AppAttach",
            "text": "MSIX packages for 3rd-party applications",
            "description": "3rd-party software vendor must provide a MSIX package, it is not recommended for customer to attempt the conversion procedure without proper support from the application owner.",
            "waf": "Cost",
            "guid": "bd362caa-ab79-4b19-adab-81932c9fc9d1",
            "id": "B02.04",
            "severity": "Low",
            "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq"
        },
        {
            "category": "Compute",
            "subcategory": "MSIX & AppAttach",
            "text": "Disable auto-update for MSIX packages",
            "description": "MSIX app attach doesn't support auto-update for MSIX applications, so they should be disabled.",
            "waf": "Operations",
            "guid": "bb88037f-5e6b-4fbb-aed5-03547cc447e8",
            "id": "B02.05",
            "severity": "Low",
            "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq"
        },
        {
            "category": "Compute",
            "subcategory": "MSIX & AppAttach",
            "text": "Review operating systems support",
            "description": "In order to leverage MSIX & App Attach, guest OS image for AVD Host pool must be Windows 10/11 Enterprise or Windows 10/11 Enterprise Multi-session, version 2004 or later.",
            "waf": "Reliability",
            "guid": "26128a71-f0f1-4cac-9d9e-f1d5e832e42e",
            "id": "B02.06",
            "severity": "Medium",
            "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq"
        },
        {
            "category": "Compute",
            "subcategory": "Session Host",
            "text": "Evaluate the usage of Gen2 VM for Host Pool deployment",
            "description": "Once selected the VM SKU that will be used for Host Pool deployment, it is recommended to use Gen2 type of the SKU for higher security and improved capabilities.",
            "waf": "Performance",
            "guid": "e4633254-3185-40a1-b120-bd563a1c8e9d",
            "id": "B03.01",
            "severity": "Medium",
            "link": "https://docs.microsoft.com/azure/virtual-machines/generation-2"
        },
        {
            "category": "Compute",
            "subcategory": "Session Host",
            "text": "Consider using MMR (MultiMedia Redirection) to get better video performance on browser",
            "description": "MMR redirects the media content from Session Host to your local machine for faster processing and rendering. It only works when you play media content on Microsoft Edge or Google Chrome. See linked URL for more details.",
            "waf": "Performance",
            "guid": "adecb27f-dc40-40f5-aca2-0090f633b1c9",
            "id": "B03.02",
            "severity": "Low",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/multimedia-redirection"
        },
        {
            "category": "Foundation",
            "subcategory": "Capacity Planning",
            "text": "Determine the Host Pool type to use",
            "description": "A host pool is a collection of Azure virtual machines that register to Azure Virtual Desktop as session hosts. A host pool can be one of two types: Personal and Pooled. Which type to use, and how many, is a key design decision that must be documented and validated. See companion article in 'More Info' column for more details.",
            "waf": "Cost",
            "guid": "8468c55a-775c-46ee-a5b8-6ad8844ce3b2",
            "id": "C01.01",
            "severity": "High",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology#host-pools"
        },
        {
            "category": "Foundation",
            "subcategory": "Capacity Planning",
            "text": "Estimate the number of different Host Pools to deploy ",
            "description": "Use your design criteria to determine the number of Host Pools to deploy. This will be based on factors such as different OS images, multi-region support, guest VM hardware differences (such as GPU support or no), different user expectations and uptime requirements (examples might be 'Executives', 'Office Workers', 'Developers', etc.), and Host Pool RDP settings (such as drive redirection support). These will determine the number of host pools as well as how many hosts will be in each pool.",
            "waf": "Performance",
            "guid": "4e98495f-d3c0-4af2-aa59-a793395a32a7",
            "id": "C01.02",
            "severity": "High",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology?WT.mc_id=Portal-fx#host-pools"
        },
        {
            "category": "Foundation",
            "subcategory": "Capacity Planning",
            "text": "For Personal Host Pool type, select the proper assignment type",
            "description": "Confirm that the difference between automatic and direct assignment is well understood and the selected option is appropriate for the scenario in question. Automatic is the default setting.",
            "waf": "Operations",
            "guid": "b38b875b-a1cf-4204-a901-3a5d3ce474db",
            "id": "C01.03",
            "severity": "Low",
            "link": "https://docs.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type"
        },
        {
            "category": "Foundation",
            "subcategory": "Capacity Planning",
            "text": "For Pooled Host Pool type, select the best load balancing method",
            "description": "Check which one to use and available options, autoscale ignores existing load-balancing algorithms.",
            "waf": "Performance",
            "guid": "cbd8682a-6abc-4a2a-9fda-1dbf3dc95d48",
            "id": "C01.04",
            "severity": "Low",
            "link": "https://docs.microsoft.com/azure/virtual-desktop/host-pool-load-balancing"
        },
        {
            "category": "Foundation",
            "subcategory": "Capacity Planning",
            "text": "For Pooled Host Pool type, VMs shouldn't have more than 32 cores",
            "description": "The number of cores increase, the system's synchronization overhead also increases. Especially for multiple user's sign-in simultaneously. Make sure not to use a VM that is too large for the session host",
            "waf": "Performance",
            "guid": "b3724959-4943-4577-a3a9-e10ff6345f24",
            "id": "C01.05",
            "severity": "Medium",
            "link": "https://learn.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs"
        },
        {
            "category": "Foundation",
            "subcategory": "Capacity Planning",
            "text": "Do not use the same Host Pool to offer both full desktops (DAG) and Remote Apps to the same set of users",
            "description": "AVD does not support assigning both the RemoteApp and Desktop Application Group (DAG) in a single host pool to the same set of users. Doing so will cause a single user to have two user sessions in a single host pool. Users aren't supposed to have two active sessions at the same time in the same host pool using the same profile.",
            "waf": "Security",
            "guid": "b384b7ed-1cdd-457e-a2cd-c8d4d55bc144",
            "id": "C01.06",
            "severity": "High",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology?WT.mc_id=Portal-fx#application-groups"
        },
        {
            "category": "Foundation",
            "subcategory": "Capacity Planning",
            "text": "Estimate the number of Application Groups required across all Host Pools in the Microsoft Entra ID tenant",
            "description": "There is a limit of 500 Application Groups that can be created in AVD for each Microsoft Entra ID (former Azure AD) tenant. The limit can be increased (see the companion link for details) but it is not recommended.",
            "waf": "Reliability",
            "guid": "971cc4a4-b1f7-4c12-90e0-1ad96808f00c",
            "id": "C01.07",
            "severity": "Medium",
            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-virtual-desktop-service-limits"
        },
        {
            "category": "Foundation",
            "subcategory": "Capacity Planning",
            "text": "Estimate the number of Applications for each Application Group",
            "description": "Applications are grouped under Application Groups as containers for publishing and assigning permissions: we recommend that you do not publish more than 50 applications per application group.",
            "waf": "Reliability",
            "guid": "fa9f2895-473d-439b-ab8e-5a5cf92c7f32",
            "id": "C01.08",
            "severity": "Low",
            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop#considerations"
        },
        {
            "category": "Foundation",
            "subcategory": "Capacity Planning",
            "text": "Evaluate the usage of FSLogix for Personal Host Pools",
            "description": "FSLogix is not required for Personal Host Pools since each VM is statically assigned to a single user, then no immediate needs for a roaming profile solution. In some usage scenarios FSLogix can help. For example, a VM can be re-assigned, or user moved to another desktop, or roaming profile can be used to save user profile in a different location for DR purposes.",
            "waf": "Reliability",
            "guid": "38b19ab6-0693-4992-9394-5590883916ec",
            "id": "C01.09",
            "severity": "Low",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type?tabs=azure#reassign-a-personal-desktop"
        },
        {
            "category": "Foundation",
            "subcategory": "Capacity Planning",
            "text": "Run workload performance test to determine the best Azure VM SKU and size to use",
            "description": "Use the link provided to set a starting point for SKU decision, then validate using a performance test. Ensure a minimum of four cores for Production is selected per Session Host (multi-session)",
            "waf": "Performance",
            "guid": "e1112dbd-7ba0-412e-9b94-ef6e047d2ea2",
            "id": "C01.10",
            "severity": "High",
            "link": "https://docs.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs"
        },
        {
            "category": "Foundation",
            "subcategory": "Capacity Planning",
            "text": "Verify AVD scalability limits for the environment",
            "description": "It is critical to check AVD capacity and limits reported in the referenced article. Additional limits and thresholds apply for network, compute, storage and service management. ",
            "waf": "Reliability",
            "guid": "992b1cd6-d2f5-44b2-a769-e3a691e8838a",
            "id": "C01.11",
            "severity": "High",
            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop#considerations"
        },
        {
            "category": "Foundation",
            "subcategory": "Capacity Planning",
            "text": "Determine if  Session Hosts will require GPU",
            "description": "Host Pools with GPU require special configuration, please be sure to review the referenced article.",
            "waf": "Performance",
            "guid": "c936667e-13c0-4056-94b1-e945a459837e",
            "id": "C01.12",
            "severity": "Low",
            "link": "https://docs.microsoft.com/azure/virtual-desktop/configure-vm-gpu"
        },
        {
            "category": "Foundation",
            "subcategory": "Capacity Planning",
            "text": "Use Azure VM SKUs able to leverage Accelerated Networking",
            "description": "Whenever is possible, it is recommended to leverage VM SKUs with Accelerated Networking feature. This feature does require specific VM SKU/size and OS versions, please see the list and requirement in the companion article.",
            "waf": "Performance",
            "guid": "b47a393a-0803-4272-a479-8b1578b219a4",
            "id": "C01.13",
            "severity": "Low",
            "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview"
        },
        {
            "category": "Foundation",
            "subcategory": "Clients & Users",
            "text": "Assess how many users will connect to AVD and from which regions",
            "description": "For proper planning and deployment, it is important to assess the maximum number of concurrent and total users for each Host Pool. Additionally, users from different regions may require different Host Pools to ensure the best user experience.",
            "waf": "Performance",
            "guid": "bb91a33d-90ca-4e2c-a881-3706f7c0cb9f",
            "id": "C02.01",
            "severity": "Medium",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/overview"
        },
        {
            "category": "Foundation",
            "subcategory": "Clients & Users",
            "text": "Assess external dependencies for each Host Pool",
            "description": "The dependencies on resources external to the AVD pool should be assessed and reviewed, for example Active Directory, external file shares or other storage, on-premises services and resources, network infrastructure components like VPN and or ExpressRoute, external services and 3rd-party components. For all these resources, latency from the AVD Host Pool needs to be evaluated and connectivity considered. Additionally, BCDR considerations need to be applied to these dependencies as well.",
            "waf": "Performance",
            "guid": "6abca2a4-fda1-4dbf-9dc9-5d48c7c791dc",
            "id": "C02.02",
            "severity": "Medium",
            "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop?toc=%2Fazure%2Fvirtual-desktop%2Ftoc.json&bc=%2Fazure%2Fvirtual-desktop%2Fbreadcrumb%2Ftoc.json"
        },
        {
            "category": "Foundation",
            "subcategory": "Clients & Users",
            "text": "Review user client OS used and AVD client type",
            "description": "AVD offers a variety of client types (fat, thin, web) to connect over different platforms (Windows, MacOS, iOS, Android). Review limitations of each client and compare multiple options when possible.",
            "waf": "Performance",
            "guid": "a1f6d565-99e5-458b-a37d-4985e1112dbd",
            "id": "C02.03",
            "severity": "Low",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/users/connect-windows"
        },
        {
            "category": "Foundation",
            "subcategory": "Clients & Users",
            "text": "Run a PoC to validate end-to-end user experience and impact of network latency",
            "description": "Depending on the user locations, and AVD region deployment, users may have a non-optimal experience, hence is important to test as soon as possible in a small PoC environment. Run the 'Azure Virtual Desktop Experience Estimator' tool to select the best Azure region to deploy Host Pools. Beyond 150ms latency, user experience may be not optimal.",
            "waf": "Performance",
            "guid": "d2f54b29-769e-43a6-a1e8-838ac936667e",
            "id": "C02.04",
            "severity": "High",
            "link": "https://azure.microsoft.com/services/virtual-desktop/assessment/"
        },
        {
            "category": "Foundation",
            "subcategory": "Clients & Users",
            "text": "Assess and document RDP settings for all user groups",
            "description": "RDP settings can currently only be configured at the host pool level, not per user/group. If different settings are required for different set of users, it is recommended to create multiple Host Pools.",
            "waf": "Security",
            "guid": "3b365a5c-7acb-4e48-abe5-4cd79f2e8776",
            "id": "C02.05",
            "severity": "Low",
            "link": "https://docs.microsoft.com/azure/virtual-desktop/customize-rdp-properties"
        },
        {
            "category": "Foundation",
            "subcategory": "General",
            "text": "Determine in which Azure regions AVD Host Pools will be deployed.",
            "description": "AVD is a non-regional service, Host Pools can be created in any region, automatic redirection from closest front-end will happen automatically.",
            "waf": "Performance",
            "guid": "42e52f47-21d9-428c-8b1b-d521e44a29a9",
            "id": "C03.01",
            "severity": "High",
            "link": "https://azure.microsoft.com/global-infrastructure/services/?products=virtual-desktop"
        },
        {
            "category": "Foundation",
            "subcategory": "General",
            "text": "Determine metadata location for AVD service",
            "description": "AVD must store metadata to support the service; this is stored in the specified geography. However, this is independent of the regions where Host Pools are located.",
            "waf": "Reliability",
            "guid": "bad37ead-53cc-47ce-8d7a-aab3571449ab",
            "id": "C03.02",
            "severity": "Medium",
            "link": "https://docs.microsoft.com/azure/virtual-desktop/data-locations"
        },
        {
            "category": "Foundation",
            "subcategory": "General",
            "text": "Check Azure quotas and availability for specific VM sizes and types in the selected regions",
            "description": "Check for specific VM SKUs, especially if you need GPU or high-specs SKUs, and eventually Azure NetApp Files if used.",
            "waf": "Reliability",
            "guid": "8053d89e-89dc-47b3-9be2-a1a27f7a9e91",
            "id": "C03.03",
            "severity": "Low",
            "link": "https://docs.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits"
        },
        {
            "category": "Identity",
            "subcategory": "Active Directory",
            "text": "Create at least two Active Directory Domain Controllers (DCs) in Azure VNet environment close to AVD Host Pool",
            "description": "AD DCs in Azure are recommended (at least two in different AZ) to reduce latency for users logging into AVD session hosts, and eventually for Azure NetApp Files and AD integration. A DC need to be able to talk to DCs for ALL child domains. As alternative, on-premise connectivity must be used to reach AD DCs.",
            "waf": "Reliability",
            "guid": "c14aea7e-65e8-4d9a-9aec-218e6436b073",
            "id": "D01.01",
            "severity": "Medium",
            "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain"
        },
        {
            "category": "Identity",
            "subcategory": "Active Directory",
            "text": "Create a specific OU in Active Directory for each Host Pool",
            "description": "Recommended to create a separate OU per Host Pool under a separate OU hierarchy. These OUs will contain machine accounts of AVD Session Hosts. ",
            "waf": "Operations",
            "guid": "6db55f57-9603-4334-adf9-cc23418db612",
            "id": "D01.02",
            "severity": "Medium",
            "link": "https://docs.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace"
        },
        {
            "category": "Identity",
            "subcategory": "Active Directory",
            "text": "Review Domain GPOs that will be applied to OU and impacting Host Pool Session Hosts functionalities",
            "description": "Carefully review, and potentially block/filter inheritance of GPOs to the OUs containing AVD Host Pools. ",
            "waf": "Operations",
            "guid": "7126504b-b47a-4393-a080-327294798b15",
            "id": "D01.03",
            "severity": "Medium",
            "link": "https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-hierarchy"
        },
        {
            "category": "Identity",
            "subcategory": "Active Directory",
            "text": "Configure FSLogix settings using the built-in provided GPO ADMX template",
            "description": "If Active Directory Domain GPOs are used, it is recommended to configure FSLogix using the built-in provided GPO ADMX template referenced in the companion article in the 'More Info' column",
            "waf": "Operations",
            "guid": "2226a8e3-50a4-4ac3-8bd6-ee150553051f",
            "id": "D01.04",
            "severity": "Medium",
            "link": "https://learn.microsoft.com/fslogix/how-to-use-group-policy-templates"
        },
        {
            "category": "Identity",
            "subcategory": "Active Directory",
            "text": "Create a dedicated user account with only permissions to join VM to the domain",
            "description": "It is recommended to have a specific dedicated account with minimal permissions, and without the default 10 joins limitation. Review the companion article for more details.",
            "waf": "Security",
            "guid": "347dc560-28a7-41ff-b1cd-15dd2f0d5e77",
            "id": "D01.05",
            "severity": "Medium",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#session-hosts"
        },
        {
            "category": "Identity",
            "subcategory": "Active Directory",
            "text": "Create a domain user group for each set of users that will be granted access to each Host Pool Application Group (DAG or RAG)",
            "description": "Avoid granting access per user, instead use AD groups and replicate them using Active Directory Connector (ADC) in Microsoft Entra ID (former Azure AD). ",
            "waf": "Security",
            "guid": "2d41e361-1cc5-47b4-a4b1-410d43958a8c",
            "id": "D01.06",
            "severity": "Medium",
            "link": "https://docs.microsoft.com/azure/virtual-desktop/manage-app-groups"
        },
        {
            "category": "Identity",
            "subcategory": "Active Directory",
            "text": "Review your organization password expiration policy for accounts used by Azure Files AD integration",
            "description": "If Azure Files Active Directory (AD) integration is used, as part of the configuration procedure, an AD account to represent the storage account (file share) will be created. You can choose to register as a computer account or service logon account, see FAQ for details. For computer accounts, there is a default password expiration age set in AD at 30 days. Similarly, the service logon account may have a default password expiration age set on the AD domain or Organizational Unit (OU). For both account types, we recommend you check the password expiration age configured in your AD environment and plan to update the password of your storage account identity of the AD account before the maximum password age. You can consider creating a new AD Organizational Unit (OU) in AD and disabling password expiration policy on computer accounts or service logon accounts accordingly.",
            "waf": "Security",
            "guid": "2289b3d6-b57c-4fc6-9546-1e1a3e3453a3",
            "id": "D01.07",
            "severity": "High",
            "link": "https://docs.microsoft.com/azure/storage/files/storage-files-identity-ad-ds-enable"
        },
        {
            "category": "Identity",
            "subcategory": "Active Directory",
            "text": "A Windows Server Active Directory forest/domain must be in sync with Microsoft Entra ID",
            "description": "You can configure this using Active Directory Connect (ADC) or Azure AD Domain Services (for hybrid or cloud organizations). Microsoft Entra ID is the new name for Azure Active Directory (Azure AD).",
            "waf": "Reliability",
            "guid": "5119bf8e-8f58-4542-a7d9-cec166cd072a",
            "id": "D01.08",
            "severity": "High",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#identity"
        },
        {
            "category": "Identity",
            "subcategory": "Microsoft Entra ID",
            "text": "Configure Azure Files share for Microsoft Entra ID (former Azure AD) Kerberos authentication on Microsoft Entra ID Joined scenario",
            "description": "If Azure Files is used and pre-requisites can be satisfied, it is recommended to configure (Microsoft Entra ID) Kerberos authentication. This configuration will allow to store FSLogix profiles that can be accessed by hybrid user identities from Azure AD-joined session hosts without requiring network line-of-sight to domain controllers.",
            "waf": "Security",
            "guid": "e777fd5e-c5f1-4d6e-8fa9-fc210b88e338",
            "id": "D02.01",
            "severity": "Medium",
            "link": "https://learn.microsoft.com/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable"
        },
        {
            "category": "Identity",
            "subcategory": "Requirements",
            "text": "A Microsoft Entra ID tenant must be available with at least one subscription linked",
            "description": "An Azure subscription must be parented to the same Microsoft Entra ID (former Azure AD) tenant, that contains a virtual network that either contains or is connected to the Windows Server Active Directory Domain Services or Microsoft Entra ID Domain Services instance.",
            "waf": "Reliability",
            "guid": "6ceb5443-5125-4922-9442-93bb628537a5",
            "id": "D03.01",
            "severity": "High",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#identity"
        },
        {
            "category": "Identity",
            "subcategory": "Requirements",
            "text": "Review and document your identity scenario",
            "description": "Azure Virtual Desktop supports different types of identities depending on which configuration you choose. Please review the supported scenarios mentioned in the 'More Info' article and document the design decision accordingly in the 'Comment' column. Critically, external identities (B2B or B2C) are not supported. Be sure to review also the list of supported scenarios in https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios.",
            "waf": "Security",
            "guid": "b4ce4781-7557-4a1f-8043-332ae199d44c",
            "id": "D03.02",
            "severity": "High",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/authentication"
        },
        {
            "category": "Identity",
            "subcategory": "Requirements",
            "text": "Assess User Account types and requirements",
            "description": "Users need accounts that are in Microsoft Entra ID (former Azure AD). If you're also using AD DS or Azure AD Domain Services in your deployment of Azure Virtual Desktop, these accounts will need to be hybrid identities, which means the user accounts are synchronized. If you're using Microsoft Entra ID with AD DS, you'll need to configure Azure AD Connect to synchronize user identity data between AD DS and Microsoft Entra ID. If you're using Microsoft Entra ID with Azure AD Domain Services, user accounts are synchronized one way from Microsoft Entra ID to Azure AD Domain Services. This synchronization process is automatic. AVD also supports Microsoft Entra ID native accounts with some restrictions. External identities (B2B or B2C) are not supported.",
            "waf": "Security",
            "guid": "f9b141a8-98a5-435e-9378-97e71ca7da7b",
            "id": "D03.03",
            "severity": "Medium",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios"
        },
        {
            "category": "Identity",
            "subcategory": "Requirements",
            "text": "If Single-Sign On (SSO) is a requirement, review the supported scenarios and prerequisites",
            "description": "AVD supports SSO using either Active Directory Federation Services (AD FS) or Microsoft Entra ID (former Azure AD) authentication. The latter is recommended, please check the requirements and limitation in the 'More Info' article. Using AD FS could be a viable choice if already present in the customer environment, it is not recommended to deploy a brand new ADFS infrastructure just for AVD SSO implementation.",
            "waf": "Reliability",
            "guid": "5f9f680a-ba07-4429-bbf7-93d7071561f4",
            "id": "D03.04",
            "severity": "Medium",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/authentication#single-sign-on-sso"
        },
        {
            "category": "Identity",
            "subcategory": "Requirements",
            "text": "Select the proper AVD Session Host domain join type",
            "description": "VMs can be Windows Active Directory (AD) domain-joined, Hybrid AD-joined, Microsoft Entra ID (former Azure AD) Joined or Azure AD Domain Services joined. Be sure to review supported scenarios, limitations and requirements from the referenced article.",
            "waf": "Security",
            "guid": "ea962a15-9394-46da-a7cc-3923266b2258",
            "id": "D03.05",
            "severity": "High",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios"
        },
        {
            "category": "Identity",
            "subcategory": "Requirements",
            "text": "Before using Azure AD Domain Services (AAD-DS) for AVD, be sure to review the limitations.",
            "description": "Compare self-managed Windows Active Directory Domain Services, Microsoft Entra ID (former Azure AD), and managed Azure AD Domain Services (AAD-DS)",
            "waf": "Reliability",
            "guid": "6f4a1651-bddd-4ea8-a487-cdeb4861bc3b",
            "id": "D03.06",
            "severity": "Low",
            "link": "https://docs.microsoft.com/azure/active-directory-domain-services/compare-identity-solutions"
        },
        {
            "category": "Monitoring and Management",
            "subcategory": "Management",
            "text": "Use built-in provided administrative templates for AVD settings configuration",
            "description": "AVD provides administrative templates for Intune and Active Directory GPO. Using these templates it is possible to centrally control several AVD configuration settings: Graphics related data logging, Screen capture protection, RDP Shortpath for managed networks, Watermarking. See companion article in 'More Info' colum for details. NOTE: FSLogix has its own separate template.",
            "waf": "Operations",
            "guid": "5549524b-36c0-4f1a-892b-ab3ca78f5db2",
            "id": "E01.01",
            "severity": "Low",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/administrative-template"
        },
        {
            "category": "Monitoring and Management",
            "subcategory": "Management",
            "text": "Plan AVD Session Hosts configuration management strategy",
            "description": "Determine if a configuration management tool is already in place to manage Host Pool VM configuration after initial deployment, For example SCCM/SCOM, Intune/ConfigurationManager, 3rd-party solutions.",
            "waf": "Operations",
            "guid": "3334fdf9-1c23-4418-8b65-285269440b4b",
            "id": "E01.02",
            "severity": "Low",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/management"
        },
        {
            "category": "Monitoring and Management",
            "subcategory": "Management",
            "text": "Evaluate Intune for AVD Session Hosts management",
            "description": "We recommend using Microsoft Intune, if requirements can be satisfied, to manage your Azure Virtual Desktop environment. Review supported scenarios and requirements to enable Intune for AVD Session Host management in the referenced article in the \u0093More Info\u0094 column. Document your choice in the 'Comment' column. In that article, review the different requirements and capabilities for single-session https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop and multi-session https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session AVD.",
            "waf": "Operations",
            "guid": "63a08be1-6004-4b4a-a79b-f3239faae113",
            "id": "E01.03",
            "severity": "Medium",
            "link": "https://learn.microsoft.com/mem/intune/fundamentals/azure-virtual-desktop"
        },
        {
            "category": "Monitoring and Management",
            "subcategory": "Management",
            "text": "Assess the requirements for host pool auto-scaling capability",
            "description": "The scaling tool provides a low-cost automation option for customers who want to optimize their session host VM costs. You can use the scaling tool to schedule VMs to start and stop based on Peak and Off-Peak business hours, scale out VMs based on number of sessions per CPU core, scale in VMs during Off-Peak hours, leaving the minimum number of session host VMs running. Not available yet for Personal Host Pool type.",
            "waf": "Reliability",
            "guid": "7138b820-102c-4e16-be30-1e6e872e52e3",
            "id": "E01.04",
            "severity": "Medium",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/autoscale-scenarios"
        },
        {
            "category": "Monitoring and Management",
            "subcategory": "Management",
            "text": "Consider the usage of Start VM on Connect for Personal Host Pools",
            "description": "Start VM On Connect lets you reduce costs by enabling end users to turn on their session host virtual machines (VMs) only when they need them. You can then turn off VMs when they're not needed. You can configure Start VM on Connect for personal or pooled host pools using the Azure portal or PowerShell. Start VM on Connect is a host pool wide setting.",
            "waf": "Cost",
            "guid": "55f612fe-f215-4f0d-a956-10e7dd96bcbc",
            "id": "E01.05",
            "severity": "Low",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/start-virtual-machine-connect"
        },
        {
            "category": "Monitoring and Management",
            "subcategory": "Management",
            "text": "Evaluate the implementation of an ad-hoc mechanism to shut down Personal AVD Session Hosts",
            "description": "'Start VM On Connect' provides a smart way to automatically start previously stopped Session Hosts but does not provide a mechanism to shut down when not in used. Administrators are encouraged to configure additional policies to sign users out of their sessions and run Azure automation scripts to de-allocate VMs. Users should be not allowed to shut down their Personal Hosts since will not be able to de-allocate Azure VMs, then billing will still be active with no cost reduction.",
            "waf": "Cost",
            "guid": "79a686ea-d971-4ea0-a9a8-1aea074c94cb",
            "id": "E01.06",
            "severity": "Low",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/start-virtual-machine-connect-faq#are-vms-automatically-deallocated-when-a-user-stops-using-them"
        },
        {
            "category": "Monitoring and Management",
            "subcategory": "Management",
            "text": "Review and adopt suggested Azure Tags for Azure Virtual Desktop",
            "description": "Azure Virtual Desktop billing is mainly based on cost associated to compute, networking and storage resources consumed by Host Pools. In addition to this, costs can be generated by dependent resources, for example VPN or ExpressRoute or vWAN, Active Directory Domain Controllers, DNS, etc. There is no direct cost associated to AVD objects like workspaces, host pools or application groups. To make AVD associated costs more evident and grouped by Host Pool, it is recommended to use 'cm-resource-parent' tag. ",
            "waf": "Cost",
            "guid": "51bcafca-476a-48fa-9b91-9645a7679f20",
            "id": "E01.07",
            "severity": "Low",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/tag-virtual-desktop-resources"
        },
        {
            "category": "Monitoring and Management",
            "subcategory": "Management",
            "text": "Periodically check Azure Advisor recommendations for AVD",
            "description": "Azure Advisor analyzes your configurations and telemetry to offer personalized recommendations to solve common problems. With these recommendations, you can optimize your Azure resources for reliability, security, operational excellence, performance, and cost.",
            "waf": "Operations",
            "guid": "611dd68c-5a4b-4252-8e44-a59a9c2399c4",
            "id": "E01.08",
            "severity": "Low",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/azure-advisor-recommendations"
        },
        {
            "category": "Monitoring and Management",
            "subcategory": "Management",
            "text": "Plan for a Session Host emergency patching and update strategy",
            "description": "Customers have several options: Microsoft Configuration Manager, this article explains how to automatically apply updates to a Azure Virtual Desktop session hosts running Windows 10/11: https://learn.microsoft.com/azure/virtual-desktop/configure-automatic-updates, Microsoft Intune: https://docs.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session, Azure Update Management and WSUS for Windows Server OS only (client OS not supported: https://learn.microsoft.com/azure/automation/update-management/operating-system-requirements), 3rd Party tools. Outside an emergency security patching situation, it is recommended to move away from an 'in-place' update strategy patching strategy and adopt a re-imaging approach.",
            "waf": "Operations",
            "guid": "04722da2-9c2b-41cd-922f-54b29bade3aa",
            "id": "E01.09",
            "severity": "Medium",
            "link": "https://learn.microsoft.com/mem/intune/fundamentals/azure-virtual-desktop-multi-session"
        },
        {
            "category": "Monitoring and Management",
            "subcategory": "Management",
            "text": "Configure the Scheduled Agent Updates feature",
            "description": "The Scheduled Agent Updates feature lets you create up to two maintenance windows per Host Pool to update AVD components at a convenient time. It is recommended to specify maintenance windows then upgrading Session Hosts will not happen during peak business hours. Scheduled Agent Updates is disabled by default. This means that, unless you enable this setting, the agent can get updated at any time by the agent update flighting service.",
            "waf": "Reliability",
            "guid": "c067939b-e5ca-4698-b9ce-3bd91843e73f",
            "id": "E01.10",
            "severity": "Low",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/scheduled-agent-updates"
        },
        {
            "category": "Monitoring and Management",
            "subcategory": "Management",
            "text": "Create a validation (canary) Host Pool",
            "description": "Host pools are a collection of one or more identical virtual machines within Azure Virtual Desktop environment. We highly recommend you create a validation host pool where service updates are applied first. This allows you to monitor service updates before the service applies them to your standard or non-validation environment.",
            "waf": "Operations",
            "guid": "d1e8c38e-c936-4667-913c-005674b1e944",
            "id": "E01.11",
            "severity": "Medium",
            "link": "https://docs.microsoft.com/azure/virtual-desktop/create-validation-host-pool"
        },
        {
            "category": "Monitoring and Management",
            "subcategory": "Management",
            "text": "Determine Host Pool deployment strategy",
            "description": "An AVD Host Pool can be deployed in several ways: Azure Portal, ARM templates, Azure CLI tool, Powershell, manual VM creation with registration token, Terraform, 3rd-party tools. It is important to adopt proper method/s to support automatic deployment through automation and CI/CD tools.",
            "waf": "Operations",
            "guid": "a459c373-e7ed-4616-83b3-65a917ecbe48",
            "id": "E01.12",
            "severity": "Medium",
            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/wvd/eslz-platform-automation-and-devops"
        },
        {
            "category": "Monitoring and Management",
            "subcategory": "Management",
            "text": "Turn on Session Host VMs at least every 90 days for token refresh",
            "description": "After you register a VM to a host pool within the Azure Virtual Desktop service, the agent regularly refreshes the VM's token whenever the VM is active. The certificate for the registration token is valid for 90 days. Because of this 90-day limit, we recommend VMs to be online for 20 minutes every 90 days so that the machine can refresh its tokens and update the agent and side-by-side stack components.",
            "waf": "Operations",
            "guid": "ebe54cd7-df2e-48bb-ac35-81559bb9153e",
            "id": "E01.13",
            "severity": "Medium",
            "link": "https://docs.microsoft.com/azure/virtual-desktop/faq"
        },
        {
            "category": "Monitoring and Management",
            "subcategory": "Monitoring",
            "text": "Enable monitoring for AVD",
            "description": "Azure Virtual Desktop Insights is a dashboard built on Azure Monitor Workbooks that helps IT professionals understand their Azure Virtual Desktop environments. Read the referenced article to learn how to set up Azure Monitor for Azure Virtual Desktop to monitor your AVD environments.",
            "waf": "Reliability",
            "guid": "63cfff1c-ac59-49ef-8d5a-83dd4de36c1c",
            "id": "E02.01",
            "severity": "High",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/insights"
        },
        {
            "category": "Monitoring and Management",
            "subcategory": "Monitoring",
            "text": "Enable diagnostic settings for Workspaces, Host Pools, Application Groups and Host VMs to Log Analytics workspace",
            "description": "Azure Virtual Desktop uses Azure Monitor and Log Analytics for monitoring and alerts like many other Azure services. This lets admins identify issues through a single interface. The service creates activity logs for both user and administrative actions.  Each activity log falls under the following categories: Management, Feed, Connections, Host Registration, Errors, Checkpoints. ",
            "waf": "Reliability",
            "guid": "81770afb-c4c0-4e43-a186-58d2857ed671",
            "id": "E02.02",
            "severity": "Medium",
            "link": "https://docs.microsoft.com/azure/virtual-desktop/diagnostics-log-analytics"
        },
        {
            "category": "Monitoring and Management",
            "subcategory": "Monitoring",
            "text": "Create alerts on the profile storage to be alerted in case of high usage and throttling",
            "description": "See the referenced article and this additional one to setup proper monitoring and alerting for storage: https://docs.microsoft.com/azure/storage/files/storage-troubleshooting-files-performance. ",
            "waf": "Reliability",
            "guid": "2463cffe-179c-4599-be0d-5973dd4ce32c",
            "id": "E02.03",
            "severity": "Medium",
            "link": "https://docs.microsoft.com/azure/storage/files/storage-files-monitoring?tabs=azure-portal"
        },
        {
            "category": "Monitoring and Management",
            "subcategory": "Monitoring",
            "text": "Configure Azure Service Health for AVD alerts ",
            "description": "You can use Azure Service Health to monitor service issues and health advisories for Azure Virtual Desktop. Azure Service Health can notify you with different types of alerts (for example, email or SMS), help you understand the effect of an issue, and keep you updated as the issue resolves.",
            "waf": "Reliability",
            "guid": "18813706-f7c4-4c0d-9e51-4548d2457ed6",
            "id": "E02.04",
            "severity": "Medium",
            "link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-service-alerts"
        },
        {
            "category": "Networking",
            "subcategory": "Networking",
            "text": "Determine if hybrid connectivity is required to connect to on-premises environment",
            "description": "If required to connect to on-premises environment, assess the current connectivity option or plan for the required connectivity (ExpressRoute, Azure S2S or 3rd-party NVA VPN). ",
            "waf": "Reliability",
            "guid": "dd399cfd-7b28-4dc8-9555-6202bfe4563b",
            "id": "F01.01",
            "severity": "Medium",
            "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/"
        },
        {
            "category": "Networking",
            "subcategory": "Networking",
            "text": "Determine Azure Virtual Network (VNet) placement for each AVD Host Pool",
            "description": "AVD Host Pools can be deployed in either Azure Virtual WAN or traditional 'Hub & Spoke' network topologies. It is recommended to deploy each Host Pool in a separate 'spoke' VNet, using 'hub' is not recommended.",
            "waf": "Performance",
            "guid": "c8639648-a652-4d6c-85e5-02965388e5de",
            "id": "F01.02",
            "severity": "Medium",
            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/wvd/eslz-network-topology-and-connectivity"
        },
        {
            "category": "Networking",
            "subcategory": "Networking",
            "text": "Assess which on-premises resources are required from AVD Host Pools",
            "description": "Evaluate the bandwidth requirements, ensure VPN/ER bandwidth will be enough, ensure proper routing and firewall rules are in place, test end-to-end latency. ",
            "waf": "Reliability",
            "guid": "d227dd14-2b06-4c21-a799-9a646f4389a7",
            "id": "F01.03",
            "severity": "Medium",
            "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/"
        },
        {
            "category": "Networking",
            "subcategory": "Networking",
            "text": "Need to control/restrict Internet outbound traffic for AVD hosts?",
            "description": "Several options are available. You can use Azure Firewall or equivalent 3rd-party NVA, Network Security Group (NSG) and/or Proxy servers. NSG is not able to enable/disable by URL, only ports and protocols. Proxy should be used only as explicit setting in user browser. Details on using Azure Firewall Premium with AVD are reported in the companion article in the 'More Info' column. Be sure to allow proper access to required AVD URLs. Forced Tunneling to on-premises is not recommended.",
            "waf": "Security",
            "guid": "fc4972cd-3cd2-41bf-9703-6e5e6b4bed3d",
            "id": "F01.04",
            "severity": "Medium",
            "link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop"
        },
        {
            "category": "Networking",
            "subcategory": "Networking",
            "text": "Ensure AVD control plane endpoints are accessible",
            "description": "Required URLs for AVD control plane access by session hosts are documented here: https://docs.microsoft.com/azure/virtual-desktop/safe-url-list. A check tool is available to verify connectivity from the session hosts: https://docs.microsoft.com/azure/virtual-desktop/safe-url-list#required-url-check-tool. Forced Tunneling to on-premises is not recommended.",
            "waf": "Reliability",
            "guid": "65c7acbe-45bb-4e60-ad89-f2e87778424d",
            "id": "F01.05",
            "severity": "High",
            "link": "https://docs.microsoft.com/azure/virtual-desktop/safe-url-list"
        },
        {
            "category": "Networking",
            "subcategory": "Networking",
            "text": "Need to control/restrict Internet outbound traffic only for users on AVD hosts? ",
            "description": "Consider the usage of Azure Defender Endpoint or similar 3rd-party agents to control user web navigation, see the Security section for more details.",
            "waf": "Security",
            "guid": "73676ae4-6691-4e88-95ad-a42223e13810",
            "id": "F01.06",
            "severity": "Medium",
            "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/onboard-windows-multi-session-device?view=o365-worldwide"
        },
        {
            "category": "Networking",
            "subcategory": "Networking",
            "text": "Review custom UDR and NSG for AVD Host Pool subnets",
            "description": "Custom UDR and NSG can be applied to AVD Host Pool subnets, for example to redirect to Azure Firewall or NVA, or to filter/block network traffic. In this case is recommended to carefully review to ensure optimal path for outbound traffic to AVD control plane is used. Service Tags can now be used with UDR and NSG, then AVD management plane traffic can be easily allowed: https://learn.microsoft.com/azure/virtual-desktop/safe-url-list.",
            "waf": "Security",
            "guid": "523181a9-4174-4158-93ff-7ae7c6d37431",
            "id": "F01.07",
            "severity": "Low",
            "link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop"
        },
        {
            "category": "Networking",
            "subcategory": "Networking",
            "text": "Do not use Proxy servers, SSL termination and Deep Packet Inspection for AVD control plane traffic",
            "description": "Network traffic from AVD Session Host VMs to AVD control plane should be as direct as possible. Redirecting this traffic through a Proxy or Firewall with deep packet inspection and/or SSL termination could cause serious issues and bad customer experience. It is recommended to bypass Proxy and Firewall just for the AVD control plane. User generated traffic surfing the web instead, should be filtered by Firewall and/or redirected to a Proxy. For details and guidelines, please see the companion article in the 'More Info' column.",
            "waf": "Reliability",
            "guid": "cc6edca0-aeca-4566-9e92-cf246f1465af",
            "id": "F01.08",
            "severity": "High",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/proxy-server-support"
        },
        {
            "category": "Networking",
            "subcategory": "Networking",
            "text": "Check the network bandwidth required for each user and in total for the VM SKU",
            "description": "It is recommended to assess and review networking bandwidth requirements for users, based on the specific workload type. The referenced article provide general estimations and recommendations, but specific measure are required for proper sizing. ",
            "waf": "Performance",
            "guid": "516785c6-fa96-4c96-ad88-408f372734c8",
            "id": "F01.09",
            "severity": "Low",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/rdp-bandwidth"
        },
        {
            "category": "Networking",
            "subcategory": "Networking",
            "text": "Evaluate usage Private Endpoint for Azure Files share",
            "description": "If Azure Files SMB share will be used to store user profiles via FSLogix, the usage of Private Endpoint (PE) for private access to the storage is recommended. AVD Session Hosts will access the storage using a private IP in the same VNet, a separate subnet is recommended. This feature has an additional cost that must be evaluated. If PE will not be used, at least Service Endpoint is recommended (no cost associated).",
            "waf": "Security",
            "guid": "ec27d589-9178-426d-8df2-ff60020f30a6",
            "id": "F01.10",
            "severity": "Medium",
            "link": "https://learn.microsoft.com/azure/storage/files/storage-files-networking-endpoints"
        },
        {
            "category": "Networking",
            "subcategory": "Networking",
            "text": "Evaluate usage of RDP ShortPath for clients connecting from managed internal networks",
            "description": "Connections to Azure Virtual Desktop can use TCP or UDP. RDP Shortpath is a feature of AVD that establishes a direct UDP-based transport between a supported Windows Remote Desktop client and session host. if clients have line of sight to AVD session hosts from internal network (VPN usage is not recommended), this feature can provide lower latency and best performances as explained in https://learn.microsoft.com/azure/virtual-desktop/rdp-shortpath?tabs=managed-networks#key-benefits.",
            "waf": "Performance",
            "guid": "b2074747-d01a-4f61-b1aa-92ad793d9ff4",
            "id": "F01.11",
            "severity": "Medium",
            "link": "https://docs.microsoft.com/azure/virtual-desktop/shortpath"
        },
        {
            "category": "Security",
            "subcategory": "Active Directory",
            "text": "Review Active Directory GPO to secure RDP sessions",
            "description": "Security mechanisms provided by GPO should be used, if available. For example, it is possible to impose desktop screen lock and idle session disconnection time. Existing GPOs applied to on-premises environment should be reviewed and eventually applied also to secure also AVD Hosts when joined to the domain.",
            "waf": "Security",
            "guid": "a135e337-897e-431c-97d6-8cb6a22ac19f",
            "id": "G01.01",
            "severity": "Medium",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#establish-maximum-inactive-time-and-disconnection-policies"
        },
        {
            "category": "Security",
            "subcategory": "Host Configuration",
            "text": "Ensure anti-virus and anti-malware solutions are used",
            "description": "Microsoft Defender for Endpoint supports Azure Virtual Desktop for Windows 10/11 Enterprise multi-session. Check article for onboarding non-persistent virtual desktop infrastructure (VDI) devices: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi",
            "waf": "Security",
            "guid": "b1172576-9ef6-4691-a483-5ac932223ece",
            "id": "G02.01",
            "severity": "High",
            "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus"
        },
        {
            "category": "Security",
            "subcategory": "Host Configuration",
            "text": "Assess disk encryption requirements for AVD Session Hosts",
            "description": "Disks in Azure are already encrypted at rest by default with Microsoft managed keys. Host VM OS disk encryption is possible and supported using Azure Disk Encryption (ADE - BitLocker) and Disk Encryption Set (DES - Server Side Encryption), the latter is recommended. Encryption of FSLogix storage using Azure Files can be done using SSE on Azure Storage. For OneDrive encryption, see this article: https://docs.microsoft.com/compliance/assurance/assurance-encryption-for-microsoft-365-services.",
            "waf": "Security",
            "guid": "0fd32907-98bc-4178-adc5-a06ca7144351",
            "id": "G02.02",
            "severity": "Low",
            "link": "https://learn.microsoft.com/azure/virtual-machines/disk-encryption-overview"
        },
        {
            "category": "Security",
            "subcategory": "Host Configuration",
            "text": "Enable Trusted launch in Azure Gen2 VM Session Hosts",
            "description": "Trusted launch are Gen2 Azure VMs with enhanced security features aimed to protect against \u0093bottom of the stack\u0094 threats through attack vectors such as rootkits, boot kits, and kernel-level malware. Recommended to enable and leverage Secure Boot, Virtual TPM (vTPM) and Integrity Monitoring.",
            "waf": "Security",
            "guid": "36a5a67f-bb9e-4d5b-9547-8c4479816b28",
            "id": "G02.03",
            "severity": "Medium",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#azure-virtual-desktop-support-for-trusted-launch"
        },
        {
            "category": "Security",
            "subcategory": "Host Configuration",
            "text": "Enable Trusted Launch and use Gen2 image are system requirements for Windows 11",
            "description": "Trusted Launch and Gen2 VM are not only security and performance enhancing features but also system requirements for Windows 11. When building an AVD environment based on Windows 11, it is essential to enable these features.",
            "waf": "Security",
            "guid": "135d3899-4b31-44d3-bc8f-028871a359d8",
            "id": "G02.04",
            "severity": "High",
            "link": "https://learn.microsoft.com/windows/whats-new/windows-11-requirements"
        },
        {
            "category": "Security",
            "subcategory": "Host Configuration",
            "text": "Consider enabling screen capture protection to prevent sensitive information from being captured",
            "description": "Displayed content will be automatically blocked or hidden in screenshots. Keep in mind screen sharing will also be blocked when using Teams or other collaboration software which use screen sharing.",
            "waf": "Security",
            "guid": "a49dc137-7896-4343-b2bc-1a31bf1d30b6",
            "id": "G02.05",
            "severity": "Low",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/screen-capture-protection"
        },
        {
            "category": "Security",
            "subcategory": "Host Configuration",
            "text": "Restrict device redirection and drive mapping",
            "description": "If not absolutely required, redirecting drives, printers, and USB devices to a user's local device in a remote desktop session should be disabled or highly restricted. Restrict Windows Explorer access by hiding local and remote drive mappings is also a secure measure to adopt preventing users from discovering unwanted information about system configuration and users.",
            "waf": "Security",
            "guid": "7ce2cd20-85b4-4f82-828e-6558736ede6a",
            "id": "G02.06",
            "severity": "Medium",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#other-security-tips-for-session-hosts"
        },
        {
            "category": "Security",
            "subcategory": "Management",
            "text": "When possible, prefer Remote Apps over Full Desktops (DAG)",
            "description": "When choosing a deployment model, you can either provide remote users access to entire virtual desktops or only select applications. Remote applications, or RemoteApps, provide a seamless experience as the user works with apps on their virtual desktop. RemoteApps reduce risk by only letting the user work with a subset of the remote machine exposed by the application.",
            "waf": "Security",
            "guid": "4e25d70e-3924-44f4-b66f-d6cdd4f4a973",
            "id": "G03.01",
            "severity": "Medium",
            "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview"
        },
        {
            "category": "Security",
            "subcategory": "Management",
            "text": "Need to control/restrict user Internet navigation from AVD session hosts?",
            "description": "Web content filtering feature provided by Web Protection capability in Microsoft Defender for Endpoint, can be used to to control user web navigation. If this tool is used, configuration of web filtering for user Internet browsing is recommended. Access by the Guest OS system to required AVD control plane URLs must be guaranteed.",
            "waf": "Security",
            "guid": "e19dd344-29eb-4722-a237-a151c5bb4e4f",
            "id": "G03.02",
            "severity": "Medium",
            "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview"
        },
        {
            "category": "Security",
            "subcategory": "Management",
            "text": "Ensure AVD users will not have local administrator privileges on AVD Hosts",
            "description": "We recommend you don't grant your users admin access to virtual desktops. If you need software packages, we recommend you make them available through configuration management utilities.",
            "waf": "Security",
            "guid": "a0cdb3b5-4eb2-4eb0-9dda-a3592718e2ed",
            "id": "G03.03",
            "severity": "High",
            "link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide"
        },
        {
            "category": "Security",
            "subcategory": "Management",
            "text": "Enable Microsoft Defender for Cloud to manage AVD Session Hosts security posture",
            "description": "We recommend you enable Defender for Cloud for the subscriptions, virtual machines, key vaults, and storage accounts used by AVD. With this tool is possible to assess and manage vulnerabilities, assess compliance with common frameworks like PCI, strengthen the overall security of your AVD environment and measure it over time using 'Secure Score': https://learn.microsoft.com/azure/virtual-desktop/security-guide#improve-your-secure-score.",
            "waf": "Security",
            "guid": "1814387e-5ca9-4c26-a9b3-2ab5bdfc6998",
            "id": "G03.04",
            "severity": "Medium",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#enable-microsoft-defender-for-cloud"
        },
        {
            "category": "Security",
            "subcategory": "Management",
            "text": "Enable diagnostic and audit logging",
            "description": "Enabling audit log collection lets you view user and admin activity related to Azure Virtual Desktop and store in a central repository like Log Analytics workspace. ",
            "waf": "Security",
            "guid": "a0916a76-4980-4ad0-b278-ee293c1bc352",
            "id": "G03.05",
            "severity": "Medium",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#collect-audit-logs"
        },
        {
            "category": "Security",
            "subcategory": "Management",
            "text": "Assess the requirement to use custom RBAC roles for AVD management",
            "description": "Assign the least privilege required by defining administrative, operations, and engineering roles to Azure RBAC roles. To limit access to high privilege roles within your Azure Virtual Desktop landing zone, consider integration with Azure Privileged Identity Management (PIM). Maintaining knowledge of which team is responsible for each particular administrative area helps you determine Azure role-based access control (RBAC) roles and configuration.",
            "waf": "Security",
            "guid": "baaab757-1849-4ab8-893d-c9fc9d1bb73b",
            "id": "G03.06",
            "severity": "Low",
            "link": "https://docs.microsoft.com/azure/virtual-desktop/rbac"
        },
        {
            "category": "Security",
            "subcategory": "Management",
            "text": "Restrict users from installing un-authorized applications",
            "description": "AVD users should not have permission to install application. If required, Windows Defender Application Control (WDAC) can be used to control which drivers and applications are allowed to run on their Windows clients. ",
            "waf": "Security",
            "guid": "b9ea80c8-0628-49fc-ae63-125aa4c0a284",
            "id": "G03.07",
            "severity": "Medium",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#windows-defender-application-control"
        },
        {
            "category": "Security",
            "subcategory": "Microsoft Entra ID",
            "text": "Evaluate the usage of Multi-Factor Authentication (MFA) and Conditional Access (CA) for AVD users",
            "description": "Enabling MFA and CA lets you manage risks before you grant users access to your AVD environment. When deciding which users to grant access to, we recommend you also consider who the user is, how they sign in, and which device they're using. Additional details and configuration procedures are provided in the companion article. Microsoft Entra ID is the new name for Azure Active Directory (Azure AD).",
            "waf": "Security",
            "guid": "916d697d-8ead-4ed2-9bdd-186f1ac252b9",
            "id": "G04.01",
            "severity": "Medium",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-mfa"
        },
        {
            "category": "Security",
            "subcategory": "Zero Trust",
            "text": "Review and Apply Zero Trust principles and guidance",
            "description": "If Zero Trust is a requirement, review the companion article in the 'More Info' column. It provides steps to apply the principles of Zero Trust to an Azure Virtual Desktop deployment.",
            "waf": "Security",
            "guid": "221102d0-90af-49fc-b2b7-8d3fe397e43",
            "id": "G05.01",
            "severity": "Medium",
            "link": "https://learn.microsoft.com/security/zero-trust/azure-infrastructure-avd"
        },
        {
            "category": "Storage",
            "subcategory": "Azure Files",
            "text": "Check best-practices for Azure Files",
            "description": "If used, make sure to check the list of best practices and recommendations described in the referenced article.",
            "waf": "Performance",
            "guid": "9164e990-9ae2-48c8-9c33-b6b7808bafe6",
            "id": "H01.01",
            "severity": "Medium",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files#best-practices-for-azure-virtual-desktop"
        },
        {
            "category": "Storage",
            "subcategory": "Azure Files",
            "text": "Enable SMB multichannel when using a premium file share to host FSLogix profile containers.",
            "description": "SMB Multichannel enables clients to use multiple network connections that provide increased performance while lowering the cost of ownership. Increased performance is achieved through bandwidth aggregation over multiple NICs and utilizing Receive Side Scaling (RSS) support for NICs to distribute the IO load across multiple CPUs.",
            "waf": "Performance",
            "guid": "5784b6ca-5e9e-4bcf-8b54-c95459ea7369",
            "id": "H01.02",
            "severity": "Low",
            "link": "https://learn.microsoft.com/azure/storage/files/storage-files-smb-multichannel-performance"
        },
        {
            "category": "Storage",
            "subcategory": "Azure NetApp Files",
            "text": "If NetApp Files storage is required, check storage service availability in your specific region.",
            "description": "If a second region is required for DR purposes verify NetApp availability in there as well.",
            "waf": "Reliability",
            "guid": "4a359836-ee79-4d6c-9d3a-364a5b7abae3",
            "id": "H02.01",
            "severity": "Medium",
            "link": "https://azure.microsoft.com/global-infrastructure/services/"
        },
        {
            "category": "Storage",
            "subcategory": "Azure NetApp Files",
            "text": "If NetApp Files storage is used enable CA (Continuous Availability) option to increase resiliency",
            "description": "CA option is a recommended setting in the FSLogix scenario, as it enables a more resilient SMB session between the Session Host and NetApp Files.",
            "waf": "Reliability",
            "guid": "a2661898-866a-4c8d-9d1f-8cfc86e88024",
            "id": "H02.02",
            "severity": "Medium",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/create-fslogix-profile-container"
        },
        {
            "category": "Storage",
            "subcategory": "Azure NetApp Files",
            "text": "If Azure NetApp Files storage is used, check Active Directory Site name setting in the Active Directory Connection configuration",
            "description": "An Active Directory Site should be created for the Azure virtual network environment where Azure NetApp Files (ANF) subnet will be created, and that site name should be specified in the ANF connection property when executing the join procedure as explained in the reference article.",
            "waf": "Reliability",
            "guid": "6647e977-db49-48a8-bc35-743f17499d42",
            "id": "H02.03",
            "severity": "High",
            "link": "https://docs.microsoft.com/azure/azure-netapp-files/create-active-directory-connections"
        },
        {
            "category": "Storage",
            "subcategory": "Capacity Planning",
            "text": "Determine which type of managed disk will be used for the Session Hosts",
            "description": "Possible options: Standard HDD, Standard SSD, or Premium SSD. Ephemeral disks are not supported, Ultra-Disks not recommended. Recommended to evaluate Premium for OS disk if user density is not low, and if Cloud Cache will be used. ",
            "waf": "Performance",
            "guid": "3611c818-b0a0-4bc5-80e4-3a18a9cd289c",
            "id": "H03.01",
            "severity": "Medium",
            "link": "https://docs.microsoft.com/azure/virtual-machines/disks-types"
        },
        {
            "category": "Storage",
            "subcategory": "Capacity Planning",
            "text": "Determine which storage backend solution will be used for FSLogix Profiles",
            "description": "Possible options are: Azure NetApp Files, Azure Files, VM based File Server. File-server it is not recommended. Azure Files Premium typically a good starting point. NetApp usually required for large scale / high-performant environment. For a detailed comparison see the article in the 'More Info' column.",
            "waf": "Performance",
            "guid": "ed6b17db-8255-4462-b2ae-e4553afc8339",
            "id": "H03.02",
            "severity": "High",
            "link": "https://docs.microsoft.com/azure/virtual-desktop/store-fslogix-profile"
        },
        {
            "category": "Storage",
            "subcategory": "Capacity Planning",
            "text": "Do not share storage and profiles between different Host Pools",
            "description": "Every Host Pool should use a separate set of storage accounts/volumes (at least one) and shares. Users should have a different profile for each Host Pool since settings and configurations are specific to each Host Pool. Additionally, accessing different Host Pools at the same time can cause errors on the shared user profile VHD/X. Usage of different storage accounts/volumes for multiple shares is also recommended to scale independently.",
            "waf": "Performance",
            "guid": "2fad62bd-5004-453c-ace4-64d862e7f5a4",
            "id": "H03.03",
            "severity": "High",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/store-fslogix-profile"
        },
        {
            "category": "Storage",
            "subcategory": "Capacity Planning",
            "text": "Verify storage scalability limits and Host Pool requirements",
            "description": "As a starting point for estimating profile container storage performance requirements we recommend to assume 10 IOPS per user in the steady state and 50 IOPS per user during sign-in/sign-out. Space requirements is simply obtained based on the maximum profiles size in FSLogix per the total number of users for each Host Pool. Multiple storage accounts can be used for the same Host Pool if required.",
            "waf": "Reliability",
            "guid": "680e7828-9c93-4665-9d02-bff4564b0d93",
            "id": "H03.04",
            "severity": "High",
            "link": "https://learn.microsoft.com/azure/virtual-desktop/faq#what-s-the-largest-profile-size-fslogix-can-handle-"
        },
        {
            "category": "Storage",
            "subcategory": "Capacity Planning",
            "text": "For optimal performance, the storage solution and the FSLogix profile container should be in the same Azure region.",
            "description": "Avoid introducing additional latency and costs associated with cross-region network traffic where possible.",
            "waf": "Performance",
            "guid": "8aad53cc-79e2-4e86-9673-57c549675c5e",
            "id": "H03.05",
            "severity": "High",
            "link": "https://docs.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files"
        },
        {
            "category": "Storage",
            "subcategory": "FSLogix",
            "text": "Do not use Office Containers (ODFC) if not strictly required and justified",
            "description": "The recommendation in Azure Virtual Desktop is to use Profile Container without Office Container (ODFC) split unless you are planning for specific Business Continuity and Disaster Recovery (BCDR) scenarios as described in the Disaster Recovery section below. https://docs.microsoft.com/fslogix/profile-container-office-container-cncpt ",
            "waf": "Reliability",
            "guid": "df47d2d9-2881-4b1c-b5d1-e54a29759e39",
            "id": "H04.01",
            "severity": "High",
            "link": "https://learn.microsoft.com/fslogix/concepts-container-types#when-to-use-profile-and-odfc-containers"
        },
        {
            "category": "Storage",
            "subcategory": "FSLogix",
            "text": "Configure the recommended antivirus exclusions for FSLogix (includes not scanning VHD(x) files on connect).",
            "description": "Make sure to configure the following antivirus exclusions for FSLogix Profile Container virtual hard drives, as documented in the referenced article in the 'More Info' column.",
            "waf": "Security",
            "guid": "83f63047-22ee-479d-9b5c-3632054b69ba",
            "id": "H04.02",
            "severity": "Medium",
            "link": "https://learn.microsoft.com/fslogix/overview-prerequisites#configure-antivirus-file-and-folder-exclusions"
        },
        {
            "category": "Storage",
            "subcategory": "FSLogix",
            "text": "Review and confirm configured maximum profile size in FSLogix",
            "description": "Profile containers have a default max size of 30GB. If large Profile Containers are anticipated, and customers wants to try to keep them small, consider using OneDrive to host Office 365 files outside the FSLogix profile.",
            "waf": "Cost",
            "guid": "01e6a84d-e5df-443d-8992-481718d5d1e5",
            "id": "H04.03",
            "severity": "High",
            "link": "https://docs.microsoft.com/fslogix/profile-container-configuration-reference"
        },
        {
            "category": "Storage",
            "subcategory": "FSLogix",
            "text": "Review FSLogix registry keys and determine which ones to apply",
            "description": "Defaults and recommended settings are reported in the companion article in the 'More Info' column. If not recommended keys and/or values must be used, be sure to review with a Microsoft AVD expert and clearly document your choices.",
            "waf": "Reliability",
            "guid": "d34aad5e-8c78-4e1d-9666-7313c405674c",
            "id": "H04.04",
            "severity": "High",
            "link": "https://learn.microsoft.com/fslogix/concepts-configuration-examples"
        },
        {
            "category": "Storage",
            "subcategory": "FSLogix",
            "text": "Avoid usage of concurrent or multiple connections",
            "description": "Concurrent or multiple connections are not recommended in Azure Virtual Desktop. Concurrent connections are also not supported by Session Hosts running in an Azure Virtual Desktop Host Pool. OneDrive, if used, doesn't support concurrent or multiple connections using the same container, under any circumstance. For multiple connections, usage of the same profile disk is not recommended.",
            "waf": "Reliability",
            "guid": "5e985b85-9c77-43e7-b261-623b775a917e",
            "id": "H04.05",
            "severity": "High",
            "link": "https://learn.microsoft.com/fslogix/concepts-multi-concurrent-connections"
        },
        {
            "category": "Storage",
            "subcategory": "FSLogix",
            "text": "If FSLogix Cloud Cache is used, consider moving the cache directory to the VM temporary drive.",
            "description": "Cloud Cache uses OS drive as local cache storage and may generate lot of pressure on the VM disk. Depending on the VM SKU and size used, the VM temporary drive can be a viable and performant solution where to relocate Cloud Cache cached content. Before adopting this solution, tests should be executed to confirm performance and stability. More details on Cloud Cache can be found here: https://learn.microsoft.com/fslogix/concepts-fslogix-cloud-cache. ",
            "waf": "Performance",
            "guid": "b2d1215a-e114-4ba3-9df5-85ecdcd9bd3b",
            "id": "H04.06",
            "severity": "Low",
            "link": "https://docs.microsoft.com/fslogix/cloud-cache-configuration-reference"
        },
        {
            "category": "Storage",
            "subcategory": "FSLogix",
            "text": "Review the usage of FSLogix redirection.",
            "description": "REDIRECTION.XML file is used to control what folders are redirected out of the profile container to the 'C:' drive. Exclusions should be the exception and should never be used unless the specific exclusion is completely understood by the person configuring the exclusion. Exclusions should always be fully tested in the environment where they are intended to be implemented. Configuring exclusions may impact functionality, stability and performance.",
            "waf": "Cost",
            "guid": "0b50ca97-b1d2-473c-b4d9-6e98b0f912de",
            "id": "H04.07",
            "severity": "Medium",
            "link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt#redirectionsxml"
        }
    ],
    "categories": [
        {
            "name": "Foundation"
        },
        {
            "name": "Identity"
        },
        {
            "name": "Compute"
        },
        {
            "name": "Networking"
        },
        {
            "name": "Storage"
        },
        {
            "name": "Monitoring and Management"
        },
        {
            "name": "Security"
        },
        {
            "name": "Business Continuity and Disaster Recovery"
        }
    ],
    "waf": [
        {
            "name": "Reliability"
        },
        {
            "name": "Security"
        },
        {
            "name": "Cost"
        },
        {
            "name": "Operations"
        },
        {
            "name": "Performance"
        }
    ],
    "yesno": [
        {
            "name": "Yes"
        },
        {
            "name": "No"
        }
    ],
    "status": [
        {
            "name": "Not verified",
            "description": "This check has not been looked at yet"
        },
        {
            "name": "Open",
            "description": "There is an action item associated to this check"
        },
        {
            "name": "Fulfilled",
            "description": "This check has been verified, and there are no further action items associated to it"
        },
        {
            "name": "Not required",
            "description": "Recommendation understood, but not needed by current requirements"
        },
        {
            "name": "N/A",
            "description": "Not applicable for current design"
        }
    ],
    "severities": [
        {
            "name": "High"
        },
        {
            "name": "Medium"
        },
        {
            "name": "Low"
        }
    ],
    "metadata": {
        "name": "Azure Virtual Desktop Review",
        "state": "GA",
        "timestamp": "November 09, 2023"
    }
}