User Experience and Session Settings
AVD session experience is shaped by device redirection, multimedia optimisation, printing configuration, and session timeout policies. Learn how to fine-tune user experience through RDP properties, Intune policies, and Group Policy β balancing usability with security.
Device redirection β what goes where
Think of redirection as building bridges between your physical device and your cloud desktop.
Your cloud desktop runs in Azure, but your keyboard, mouse, webcam, USB drive, and printer are physically at your desk. Redirection builds invisible bridges so your cloud desktop can use your local devices. Clipboard redirection lets you copy text from your local PC and paste it in the cloud desktop. Camera redirection lets your cloud desktop use the webcam plugged into your laptop.
Admins decide which bridges to build. Tight security means fewer bridges.
RDP properties on host pools
RDP properties are configured on the host pool in the Azure portal under Properties, or via PowerShell/CLI. They apply to all sessions in that host pool.
Key RDP properties
| RDP Property | Values | What It Controls |
|---|---|---|
redirectclipboard | 0 (off) or 1 (on) | Copy/paste between local and remote |
drivestoredirect | * (all), none, or specific drives | Local drive mapping in session |
camerastoredirect | * (all) or none | Webcam access in session |
audiocapturemode | 0 (off) or 1 (on) | Microphone capture from local device |
audiomode | 0 (play locally) or 1 (play remotely) | Where audio plays |
devicestoredirect | * (all) or none | USB and PnP device redirection |
usbdevicestoredirect | specific VID:PID or none | Specific USB device redirection |
redirectprinters | 0 (off) or 1 (on) | Local printer access in session |
redirectcomports | 0 (off) or 1 (on) | Serial/COM port redirection |
redirectsmartcards | 0 (off) or 1 (on) | Smart card reader redirection |
redirectlocation | 0 (off) or 1 (on) | GPS/location data redirection |
ποΈ JCβs lockdown at Federal: βDirector Walshβs mandate: no clipboard, no drives, no USB. If data is classified, it stays in the session. We only allow smart card redirection for PIV authentication and audio for Teams calls. The RDP properties took 5 minutes to configure on the host pool.β
Security vs usability spectrum
| Security Level | Clipboard | Drives | USB | Camera | Microphone | Printer |
|---|---|---|---|---|---|---|
| Open (productivity focus) | Yes | All | All | Yes | Yes | Yes |
| Balanced (most enterprises) | Yes | None | None | Yes | Yes | Yes |
| Restricted (regulated) | No | None | None | No | Yes | No |
| Locked down (government/finance) | No | None | None | No | No | No |
Exam tip: RDP properties override hierarchy
RDP properties set on the host pool in Azure are the primary control. However, Group Policy on session hosts can further restrict (but not expand) what is allowed. If the host pool allows clipboard and a GPO disables it, clipboard is disabled. The most restrictive setting wins.
The exam tests this β if a question shows both host pool RDP properties and GPO settings, apply the most restrictive of the two.
Multimedia redirection (MMR)
Multimedia redirection offloads video rendering from the session host to the client device. Without MMR, video streams are decoded on the session host, re-encoded as RDP graphics, and sent to the client β consuming significant CPU and bandwidth.
How MMR works
- User plays a video in a supported browser (Edge or Chrome) on the session host
- The MMR extension detects the video stream
- Instead of rendering on the session host, the raw video stream is sent directly to the client
- The client device decodes and renders the video locally
- Result: smooth video playback, lower session host CPU, reduced bandwidth
MMR requirements
- Client: Windows App or Remote Desktop client
- Session host: MMR host component installed, Edge or Chrome browser
- Supported sites: YouTube, Vimeo, and other streaming sites (uses a browser extension)
π Priyaβs creative team: βBenβs team reviews video dailies in the browser. Without MMR, playback was choppy and buffered constantly β the session host was maxing out CPU trying to decode 4K video. After enabling multimedia redirection, the video renders on their MacBook Pro GPUs instead. Buttery smooth.β
Printing in AVD
Printing options
| Method | How It Works | Pros | Cons |
|---|---|---|---|
| Local printer redirection | Redirects clientβs local printers into the session | Simple, no config needed | Requires drivers on session host |
| Universal Print | Cloud-based print service, no drivers needed | No drivers, cloud-managed | Requires Universal Print licence |
| Direct network printing | Session host prints to network printers directly | Standard enterprise printing | Requires network connectivity |
Universal Print β the modern approach
Universal Print eliminates printer drivers on session hosts:
- Printers are registered with the Universal Print cloud service
- Users discover printers through Entra ID β no driver installation needed
- Print jobs go from session host to Universal Print service to the printer
- Admins manage printers centrally in the Microsoft 365 admin centre
π§ Miaβs printing fix: βPrinter drivers were our second biggest headache after profiles. Every clinic had different printers, different drivers, constant conflicts. Universal Print removed all of that β zero drivers on session hosts. Tom can print his patient handoffs from any clinic without a single support ticket.β
Managing user settings β Intune vs Group Policy
| Aspect | Microsoft Intune | Group Policy (GPO) |
|---|---|---|
| Identity requirement | Entra ID joined or hybrid joined | AD DS joined (or hybrid) |
| Management scope | User and device policies | Computer and user policies |
| AVD-specific templates | Settings catalogue with AVD policies | Administrative templates (ADMX) |
| Delivery method | Cloud-based, internet required | Domain controller, on-premises |
| Update frequency | Near real-time (policy sync) | Default: every 90 minutes + 30 min random |
| Reporting | Intune compliance dashboard | RSOP, gpresult |
| Best for | Cloud-native or hybrid Entra joined hosts | Traditional AD-joined session hosts |
| Session timeout control | Via Settings Catalogue or configuration profiles | Via GPO: Session Time Limits |
| Start menu / taskbar | Configuration profiles | GPO preferences or ADMX templates |
What you can configure
| Setting Category | Examples |
|---|---|
| Session timeouts | Disconnect after X minutes idle, logoff disconnected sessions after Y hours |
| Start menu and taskbar | Pin specific apps, hide Power button, restrict Settings access |
| Desktop experience | Wallpaper, lock screen, theme restrictions |
| Application restrictions | AppLocker policies, WDAC policies |
| OneDrive | Silent sign-in, Known Folder Move, Files On-Demand |
| Windows Update | Update rings, maintenance windows, feature update deferrals |
Session timeout properties
Session timeouts control what happens when users are idle or disconnected:
| Timeout Setting | What It Does | Where to Configure |
|---|---|---|
| Idle session limit | Disconnects session after X minutes of no input | GPO or Intune |
| Disconnected session limit | Logs off disconnected sessions after X time | GPO or Intune |
| Active session limit | Disconnects active sessions after X time (rarely used) | GPO or Intune |
| Reconnection policy | Allow reconnect from same client only or any client | Host pool RDP properties |
Timeout strategy by workload
| Workload | Idle Timeout | Disconnected Timeout | Why |
|---|---|---|---|
| Task workers (call centre) | 15 minutes | 1 hour | Free up resources quickly |
| Knowledge workers | 30-60 minutes | 4 hours | Balance resources with user flow |
| Healthcare (clinical) | 10 minutes | 2 hours | HIPAA compliance, shared workstations |
| Developers | 120 minutes or never | 8 hours | Long-running builds, deep focus |
π§ Miaβs timeout tuning: βOur first timeout policy was 30 minutes idle. Nurses were furious β theyβd step away to attend a patient for 20 minutes and lose their session. We changed to 10-minute disconnect (keeps session alive but frees the connection) with 2-hour logoff for disconnected sessions. Nurses reconnect instantly when they return.β
Deep dive: Disconnect vs logoff
Understanding the difference is critical for the exam:
- Disconnect: The userβs session stays running on the session host (apps open, profile mounted), but the RDP connection is dropped. The user can reconnect and pick up exactly where they left off. Resources are still consumed on the session host.
- Logoff: The session is fully terminated. Apps close, profile is saved and unmounted, VM resources are freed. The user starts a fresh session next time.
The exam often tests scenarios where you need to choose between these. Disconnect is user-friendly (fast reconnect) but uses resources. Logoff frees resources but the user loses their open work.
JC needs to prevent data exfiltration from classified desktops. Users must be able to use Teams for voice calls and smart cards for authentication. Which RDP properties should he configure?
Priya's creative team watches video dailies in the browser during their AVD sessions. Playback is choppy and session host CPU spikes to 90%. What should Priya enable?
Mia sets a 10-minute idle timeout that disconnects sessions. After disconnection, sessions are logged off after 2 hours. A nurse steps away for 15 minutes, then returns. What happens?
π¬ Video coming soon
User Experience and Session Settings
Next up: Application Groups and RemoteApp β learn the difference between desktop and RemoteApp application groups, and how to publish individual applications to users.