📚 Complete Azure Virtual Desktop (AZ-140) Exam Study Guide

Based on Microsoft’s official documentation and best practices, this guide covers all exam objectives with detailed technical information.

🌐 PLAN AND IMPLEMENT AN AZURE VIRTUAL DESKTOP INFRASTRUCTURE (40–45%)

1. Plan, Implement, and Manage Networking for Azure Virtual Desktop

Network Capacity and Speed Requirements

Factor	Requirement
Bandwidth per user	150-200 Kbps for basic desktop, 1-2 Mbps for rich multimedia
Latency	< 150ms round-trip for optimal experience
Packet loss	< 1%
Jitter	< 30ms

Bandwidth Considerations:

RDP uses adaptive bandwidth management
Quality adjusts dynamically based on available bandwidth
Higher bandwidth improves responsiveness and visual quality

Network Configuration Design

Network Topology Options:

Hub-and-spoke topology – Centralized network management
Virtual WAN – Simplified large-scale connectivity
Peered virtual networks – Direct VNet-to-VNet connectivity

Connectivity Requirements:

Session hosts need outbound internet access for Azure Virtual Desktop service
Required URLs must be accessible (see required URL list)
NSGs must allow specific ports for RDP Shortpath

2. Plan and Implement RDP Shortpath and QoS Policies

RDP Shortpath Overview

RDP Shortpath establishes a direct UDP connection between client and session host, bypassing the Azure Virtual Desktop gateway for data transport .

Two Modes:

Mode	Description	Use Case
Managed Networks	Direct connectivity via ExpressRoute, VPN, or private peering	Corporate networks with private connectivity
Public Networks	Uses STUN/TURN servers for NAT traversal	Internet-connected clients

Benefits:

Reduced latency (direct connection)
Improved reliability
Higher bandwidth efficiency
Better performance for video/audio

Configure RDP Shortpath

Prerequisites:

Windows App or Remote Desktop client v1.2.3488+
For managed networks: Direct connectivity on port 3390
For public networks: Outbound UDP to internet/STUN/TURN servers

Configuration Steps:

Azure portal → Host pool → RDP Shortpath tab
Enable RDP Shortpath for managed networks or public networks
Configure firewall rules to allow UDP 3390 (managed) or STUN/TURN ports (public)

Implement QoS for RDP Shortpath

Group Policy Configuration:

Computer Configuration → Policies → Windows Settings → 
Policy-based QoS → New Policy

DSCP Markings:

Traffic Type	DSCP Value	Priority
RDP Audio	EF (46)	Highest
RDP Video	AF41 (34)	High
RDP Input	AF21 (18)	Medium
RDP Default	AF11 (10)	Low

Port Ranges:

TCP: 443 (gateway connection)
UDP: 3390 (RDP Shortpath default)

3. Plan and Implement Azure Private Link for Azure Virtual Desktop

Private Link Architecture

Azure Virtual Desktop has three workflows requiring private endpoints :

Workflow	Resource Type	Sub-resource	Quantity
Initial Feed Discovery	Workspace	`global`	One per entire AVD deployment
Feed Download	Workspace	`feed`	One per workspace
Connections to Host Pools	Host Pool	`connection`	One per host pool

Supported Scenarios:

Full Private – All workflows use private routes (most secure)
Partial Private – Feed download + connections private, discovery public
Connections Only – Only host pool connections use private routes
Public – No Private Link (default)

UDP with Private Link (Important Change)

⚠️ Critical Update: Starting February 1, 2026, RDP Shortpath over Private Link requires explicit opt-in .

Configuration Steps:

Host pool → Networking → Public access
Select “Enable public access for end users, use private access for session hosts” OR “Disable public access and use private access”
Check “Allow Direct UDP network path over Private Link”
Disable RDP Shortpath for public networks (STUN/TURN) – portal enforces this

DNS Configuration:

privatelink-global.wvd.microsoft.com (for global sub-resource)
privatelink.wvd.microsoft.com (for feed and connection sub-resources)

4. Monitor and Troubleshoot Network Connectivity

User Connection Quality Data

Key Metrics:

Round-trip time (RTT)
Available bandwidth
Frame rate
Retry rate
Transport protocol (TCP vs UDP)

Collection Methods:

Azure Monitor Logs
Azure Virtual Desktop Insights workbooks
Log Analytics queries

Sample KQL Query:

WVDConnections
| where TimeGenerated > ago(24h)
| project UserName, SessionHostName, ConnectionType, 
          RoundTripTimeMs, AvailableBandwidthMbps

5. Plan and Implement Storage for Azure Virtual Desktop User Data

FSLogix Profile Container Overview

FSLogix provides profile containerization that:

Stores complete user profile in VHDX/VHD container
Mounts at logon, unmounts at logoff
Supports concurrent access (with proper configuration)
Enables roaming profiles across session hosts

Components:

Component	Purpose
Profile Container	Stores entire user profile
Office Container (ODFC)	Stores Office 365 data separately
Cloud Cache	Provides high availability and DR

Storage Options for FSLogix Profile Containers

Storage Solution	Best For	Performance	Cost
Azure Files (Premium)	Small-medium deployments, simple management	Good	Medium
Azure NetApp Files	Large enterprises, high performance	Excellent	Higher
Azure Files (Standard)	Dev/test, cost-sensitive	Basic	Low
Storage Spaces Direct	On-premises or hybrid	Good	Variable

Azure Files Configuration

With Microsoft Entra ID:

Native Entra ID authentication
No domain join required for session hosts
SMB 3.1.1 with encryption

With Active Directory:

AD DS or Microsoft Entra Domain Services
Domain-joined session hosts
Traditional NTFS permissions

Key Requirements:

Storage account must be in same region as session hosts
SMB permissions must match FSLogix requirements
Configure proper NTFS and share permissions

Azure NetApp Files Configuration

Benefits:

Sub-millisecond latency
Up to 450K IOPS per volume
Automatic snapshots and replication
Cross-region replication for DR

Configuration:

Create NetApp account in same region
Configure capacity pool (Standard/Premium/Ultra)
Create volume with SMB protocol
Join to Active Directory

6. Plan Host Pools and Session Hosts

Resource Organization

Recommended Hierarchy:

Management Group
├── Subscription (Production)
│   ├── Resource Group (AVD-Networking)
│   ├── Resource Group (AVD-HostPools)
│   └── Resource Group (AVD-Storage)
└── Subscription (DR)
    └── ...

Best Practices:

Separate resource groups by function
Use consistent naming conventions
Tag resources for cost tracking

Operating System Selection

OS	Use Case	Licensing
Windows 11 Enterprise multi-session	Pooled desktops, best user experience	Microsoft 365 E3/E5, Windows E3/E5
Windows 10 Enterprise multi-session	Legacy compatibility	Microsoft 365 E3/E5, Windows E3/E5
Windows Server 2022	Application hosting, RDS	RDS CALs
Windows Server 2019	Legacy applications	RDS CALs

Virtual Machine Sizing Guidelines

Single-Session (Personal Desktops):

Workload	vCPU	RAM	Storage	Example VMs
Light	2	8 GB	32 GB	D2s_v5, D2s_v4
Medium	4	16 GB	32 GB	D4s_v5, D4s_v4
Heavy	8	32 GB	32 GB	D8s_v5, D8s_v4

Multi-Session (Pooled Host Pools):

Workload	Users per vCPU	Min VM Size	Max Sessions
Light	3-4	4 vCPUs, 16 GB	12-16
Medium	2-3	8 vCPUs, 32 GB	16-24
Heavy	1-2	16 vCPUs, 64 GB	16-32

Key Sizing Factors:

User workload type (office, dev, design)
Application requirements
Concurrent user count
Peak vs average usage

7. Implement Host Pools and Session Hosts

Host Pool Types

Type	Description	Use Case
Pooled	Multi-session, users assigned to any available host	Shared desktops, cost optimization
Personal	Single-session, dedicated assignment	Persistent desktops, power users

Load Balancing Algorithms

Pooled Host Pools:

Breadth-first: Distributes users evenly across all session hosts (best for performance)
Depth-first: Fills each session host to max before moving to next (best for density)

Personal Host Pools:

Automatic assignment (first available)
Direct assignment (specific user to specific host)

Deployment Methods

Azure Portal:

Guided setup wizard
Best for initial deployment
Limited automation

PowerShell/CLI:

New-AzWvdHostPool
New-AzWvdSessionHost
Automation and repeatability

ARM Templates/Bicep:

Infrastructure as Code
Version control
Consistent deployments

Azure VM Image Builder:

Automated image creation
Customization pipelines
Integration with Azure Compute Gallery

8. Create and Manage Session Host Images

Image Creation Methods

Method	Use Case	Process
Manual	One-off customizations	Create VM, customize, capture
Azure VM Image Builder	Automated, repeatable	JSON templates, customization scripts
Hyper-V	On-premises preparation	Create VHD, upload to Azure
Azure Compute Gallery	Image distribution	Store, version, replicate images

Image Best Practices

Office Installation:

Use Office Deployment Tool (ODT)
Exclude OneDrive from base image (use per-machine install)
Enable Shared Computer Activation
Install latest updates before capture

Optimization:

Run Windows Update
Remove unnecessary apps
Configure FSLogix before capture
Set power settings to High Performance

Image Lifecycle Management

Azure Compute Gallery:

Store golden images
Version management
Regional replication
RBAC control

Update Strategy:

Create new image version with updates
Test in validation host pool
Deploy to production host pools
Gradual rollout using rolling updates

🔐 PLAN AND IMPLEMENT IDENTITY AND SECURITY (15–20%)

9. Plan and Implement Identity Integration

Identity Scenarios

Scenario	Description	Requirements
Microsoft Entra ID	Cloud-only identities	Entra ID P1/P2, Entra joined VMs
AD DS + Microsoft Entra Connect	Hybrid identity	Domain controllers, sync, hybrid joined VMs
Microsoft Entra Domain Services	Managed domain	Entra DS deployment, custom domain

Important: Azure Virtual Desktop does not support standalone AD DS without Microsoft Entra ID sync .

Single Sign-On (SSO) Configuration

Microsoft Entra ID SSO:

Requires Entra joined or hybrid joined session hosts
Windows 10/11 Enterprise multi-session with Oct 2022+ updates
Microsoft Graph PowerShell SDK v2.9.0+
Configure Windows Cloud Login app in Conditional Access

AD FS SSO:

For federated identity scenarios
Configure relying party trust
Certificate-based authentication support

10. Plan and Implement Azure RBAC for Azure Virtual Desktop

Built-in Roles

Role	Purpose	Scope
Desktop Virtualization Contributor	Manage all AVD resources	Resource group/Subscription
Desktop Virtualization Reader	Read-only access	Resource group/Subscription
Desktop Virtualization Host Pool Contributor	Manage host pools	Host pool
Desktop Virtualization Power On Off Contributor	Start/stop VMs (autoscale)	Subscription
Desktop Virtualization Session Host Operator	Manage session hosts	Host pool
Desktop Virtualization User	Connect to desktops/apps	Application group

Service Principal Role Assignments

Required for Azure Virtual Desktop service:

Azure Virtual Desktop (app ID: 9cdead84-a844-4324-93f2-b2e6bb768d07)
Azure Virtual Desktop ARM Provider (app ID: 50e95039-b200-4007-bc97-8d5790743a63)

11. Plan and Implement Conditional Access

Conditional Access for AVD

Target Applications:

Azure Virtual Desktop (App ID: 9cdead84-a844-4324-93f2-b2e6bb768d07) – Service authentication
Microsoft Remote Desktop (App ID: a4a365df-50f1-4397-bc59-1a1564b8bb9c) – Session host SSO
Windows Cloud Login (App ID: 270efc09-cd0d-444b-a71f-39af4910ec45) – Session host authentication

Important: Do NOT apply MFA to “Azure Virtual Desktop Azure Resource Manager Provider” – it’s only for feed retrieval .

Authentication Options

Method	Configuration	Use Case
Passwordless	Windows Hello, FIDO2 keys	High security, modern devices
Smart Card	Certificate-based auth	Government, high-security orgs
MFA	Microsoft Authenticator	Standard security requirement

12. Plan and Implement Security

Microsoft Defender for Cloud

Security Recommendations:

Enable Defender for Cloud on subscription
Review secure score
Implement recommendations for session hosts
Enable threat protection

Microsoft Defender Antivirus

VDI-Specific Configuration:

# Disable real-time protection on session hosts (if using alternative)
# Or configure exclusions for FSLogix
Set-MpPreference -ExclusionPath "C:\Program Files\FSLogix"
Set-MpPreference -ExclusionProcess "frxsvc.exe", "frxccd.exe"

Microsoft Defender for Endpoint

Onboarding:

Download onboarding package from Defender portal
Deploy to session hosts via GPO/Intune
Verify sensor status
Configure scanning options

Network Security

NSG Rules:

Priority	Direction	Port	Protocol	Source	Destination	Action
100	Inbound	3389	TCP	VirtualNetwork	Any	Deny (use RDP Shortpath)
110	Inbound	443	TCP	Internet	Any	Allow
120	Inbound	3390	UDP	VirtualNetwork	Any	Allow (RDP Shortpath)

Azure Firewall:

Deploy in hub VNet
Configure UDRs to route traffic through Firewall
Enable threat intelligence

Azure Bastion:

Deploy in separate subnet (AzureBastionSubnet)
Use for secure admin access
Enable native client support

Just-in-Time (JIT) Access:

Enable via Defender for Cloud
Request access for limited time
Audit all administrative connections

👥 PLAN AND IMPLEMENT USER ENVIRONMENTS AND APPS (20–25%)

13. Plan and Implement FSLogix

FSLogix Configuration

Registry Settings (HKLM\SOFTWARE\FSLogix\Profiles):

Setting	Type	Value	Description
Enabled	DWORD	1	Enable FSLogix
VHDLocations	REG_SZ	`\\server\share`	Profile storage path
CCDLocations	MULTI_SZ	Multiple paths	Cloud Cache locations
ProfileType	DWORD	0	Normal (single connection)
SizeInMBs	DWORD	30000	Max profile size
VolumeType	REG_SZ	VHDX	Container format
FlipFlopProfileDirectoryName	DWORD	1	Username first in path
DeleteLocalProfileWhenVHDShouldApply	DWORD	1	Clean up local profiles

Cloud Cache Configuration

Purpose: High availability and disaster recovery for profiles

Configuration:

CCDLocations = type=smb,name="Primary",connectionString=\\server1\share;
               type=azure,name="Azure",connectionString="|fslogix/key"

Key Settings:

ClearCacheOnLogoff = 1 (save disk space)
HealthyProvidersRequiredForRegister = 1 (require at least one healthy provider)
LockedRetryCount = 3
LockedRetryInterval = 15

Office Container (ODFC)

Separates Office 365 data from profile container:

Outlook OST/PST
OneDrive cache
Teams cache
Search index

Configuration:

Registry path: HKLM\SOFTWARE\Policies\FSLogix\ODFC
Use VHDLocations or CCDLocations (not both with Profile Container)

Application Masking

Rule Sets:

Control which applications users can see
Based on AD groups, user attributes
Create with FSLogix Rule Editor

14. Plan and Implement User Experience and Client Settings

Client Selection

Client	Platforms	Features
Windows App	Windows, macOS, iOS, Android, Web	Latest features, recommended
Remote Desktop client	Windows, macOS, iOS, Android	Legacy, stable

Device Redirection

Configuration:

Clipboard: Enable/disable
Drives: Map local drives
Printers: Redirect local printers
Smart cards: Enable authentication
USB devices: Selective redirection

Multimedia Redirection

Benefits:

Redirect video playback to local device
Reduce server CPU/GPU load
Improve video quality

Requirements:

Windows App or supported client
Specific browser extensions for web content

Universal Print

Configuration:

Azure AD printer registration
No print drivers on session hosts
Cloud-based print management

RDP Properties

Host Pool Settings:

audiocapturemode:i:1          # Enable audio recording
audiomode:i:0                 # Play on local computer
redirectclipboard:i:1         # Enable clipboard
redirectprinters:i:1          # Enable printer redirection
redirectsmartcards:i:1        # Enable smart card redirection
use multimon:i:1              # Enable multiple monitors
screen mode id:i:2            # Full screen
smart sizing:i:1              # Enable smart sizing
dynamic resolution:i:1        # Enable dynamic resolution

Session Timeout Properties

Setting	Description	Recommended
Max session limit	Users per session host	Based on workload
Disconnect timeout	Time before disconnecting idle sessions	4-8 hours
Logoff timeout	Time before logging off disconnected sessions	24 hours

15. Implement Start VM on Connect

Purpose: Reduce costs by starting VMs only when needed

Prerequisites:

Existing host pool with application group and workspace
Desktop Virtualization Power On Contributor role assigned to AVD service principal at subscription level
Host pool, session hosts, and resource group names use only ANSI characters

Configuration:

Host pool → Properties
Set Start VM on connect = Yes
Save

Behavior:

Personal pools: Starts assigned VM or assigns available VM
Pooled pools: Starts VM only when none available, max one every 5 minutes

16. Install and Configure Apps on Session Host

App Attach (MSIX App Attach)

Benefits :

Dynamic application delivery
No local installation
Reduced image management
Application isolation
Multiple versions support

Supported Formats:

MSIX/MSIX bundle
Appx/Appx bundle
App-V

Process:

Create MSIX image using MSIXMGR tool

   msixmgr.exe -Unpack -packagePath "app.msix" -destination "app.cim" -applyACLs -create -fileType cim -rootDirectory apps

Store on SMB file share accessible by session hosts
Add to Azure Virtual Desktop via App Attach blade
Assign to host pools and users
Publish via RemoteApp (optional)

Registration Types:

On-demand: Staged when user launches
Register at logon: Staged during logon

17. Implement Microsoft 365 Apps

Installation Methods

Per-machine install:

Use Office Deployment Tool (ODT)
Shared Computer Activation enabled
Exclude OneDrive (install separately)

ODT Configuration:

<Configuration>
  <Add OfficeClientEdition="64" Channel="MonthlyEnterprise">
    <Product ID="O365ProPlusRetail">
      <Language ID="en-us" />
      <ExcludeApp ID="OneDrive" />
    </Product>
  </Add>
  <Property Name="SharedComputerLicensing" Value="1" />
</Configuration>

OneDrive Implementation

Multi-session Considerations:

Use per-machine installation
Configure silent account config
Exclude from FSLogix profile (use ODFC instead)

Registry Settings:

HKLM\SOFTWARE\Microsoft\OneDrive
    "AllUsersInstall" = 1

Microsoft Teams Optimization

Architecture:

New Teams: Uses SlimCore + WebRTC Redirector Service
Classic Teams: Uses WebRTC Redirector Service

Installation:

Install WebRTC Redirector Service on session hosts
Install Teams (per-machine or per-user)
Verify optimization in Teams settings (“Azure Virtual Desktop Media Optimized”)

Benefits:

Media offloaded to local device
Reduced server CPU/GPU usage
Better audio/video quality

📊 MONITOR AND MAINTAIN AZURE VIRTUAL DESKTOP INFRASTRUCTURE (10–15%)

18. Monitor and Manage Azure Virtual Desktop Services

Log Analytics Configuration

Diagnostic Settings:

Host pool → Diagnostic settings
Send to Log Analytics workspace
Select categories:

Checkpoint
Error
Management
Connection
HostRegistration
AgentHealthStatus

Azure Virtual Desktop Insights

Capabilities:

Pre-built workbooks
Connection diagnostics
Performance metrics
User experience scores

Configuration Workbook:

Set up Log Analytics workspace
Configure performance counters
Enable Windows Event Logs

Key Metrics to Monitor

Metric	Threshold	Action
Connection Success Rate	> 95%	Investigate failures
Average Session Duration	Baseline	Identify anomalies
Session Host CPU	> 80%	Scale up or add hosts
Session Host Memory	> 85%	Scale up or add hosts
FSLogix Load Times	< 30 seconds	Optimize storage
RDP Round-Trip Time	< 150ms	Check network

19. Optimize Session Host Capacity and Performance

Autoscaling Scaling Plans

Two Scaling Methods :

Method	Description	Use Case
Power Management	Start/stop existing VMs	Standard host pools
Dynamic (Preview)	Create/delete VMs automatically	Session host configuration pools

Scaling Plan Phases:

Phase	Description	Configuration
Ramp-up	Morning, increasing users	Breadth-first, pre-warm capacity
Peak	Maximum usage	Load balancing, capacity threshold
Ramp-down	Evening, decreasing users	Depth-first, force logoff options
Off-peak	Minimal usage	Minimum hosts, cost optimization

Key Parameters:

Capacity threshold: % of capacity that triggers scaling (default 75%)
Minimum percentage of hosts: Always-on capacity
Load balancing algorithm: Breadth-first (performance) or depth-first (density)

RBAC Requirements:

Desktop Virtualization Power On Off Contributor (subscription level)
Desktop Virtualization Virtual Machine Contributor (for dynamic scaling)

20. Plan and Implement Updates, Backups, and Disaster Recovery

Update Strategy

Session Host Updates:

Maintenance windows: Scheduled downtime
Rolling updates: Update subset of hosts at a time
Drain mode: Prevent new connections during update
Image updates: Deploy new image to new hosts, migrate users

Options:

Manual updates: Patch existing VMs
Automated updates: Azure Update Manager
Image replacement: Golden image approach

Disaster Recovery

Multi-Region BCDR :

Component	DR Strategy
Host Pools	Deploy in secondary region
Session Hosts	Pre-stage powered off OR provision on-demand
Images	Replicate to secondary region Azure Compute Gallery
FSLogix Profiles	Azure NetApp Files cross-region replication
User Assignments	Document and automate recreation

Azure Site Recovery:

Replicate session hosts to secondary region
Orchestrate failover
Update DNS/Private Link configurations

Backup Strategy

Components to Backup:

Component	Backup Method	Frequency
FSLogix Profiles	Azure Backup for Azure Files/ANF	Daily
Personal VMs	Azure VM Backup	Daily
Golden Images	Azure Compute Gallery replication	Per update
Configuration	ARM templates, scripts	Version control

📋 Quick Reference: Key Exam Points

Must-Know Facts

Private Link: Only one global sub-resource endpoint per entire AVD deployment
RDP Shortpath: Requires UDP, managed networks need port 3390 open
FSLogix: Storage must be in same region as session hosts
Autoscale: Requires RBAC at subscription level, not resource group
Conditional Access: Three app IDs to configure (AVD, Remote Desktop, Windows Cloud Login)
Start VM on Connect: Requires Desktop Virtualization Power On Contributor role
Teams Optimization: Uses WebRTC Redirector Service or SlimCore (New Teams)
App Attach: Supports MSIX, Appx, App-V; uses CIM format for best performance

Port Summary

Port	Protocol	Purpose
443	TCP	HTTPS, gateway connection
3390	UDP	RDP Shortpath (managed networks)
3478	UDP	STUN (RDP Shortpath public)
49152-65535	UDP	TURN (RDP Shortpath public)

Licensing Requirements

Feature	License Required
Azure Virtual Desktop	Microsoft 365 E3/E5, Windows E3/E5, or RDS CALs
FSLogix	Included with AVD
Microsoft 365 Apps	Microsoft 365 E3/E5
Premium Storage	Separate Azure cost

This comprehensive guide covers all exam objectives with detailed technical information, configuration steps, and best practices based on official Microsoft documentation. Good luck with your exam preparation!

X Facebook LinkedIn Copy Email Pinterest Reddit Telegram ChatGPT SMS