
In enterprise Azure Virtual Desktop (AVD) deployments, standard marketplace images are often insufficient to meet organizational requirements for security, compliance, application consistency, and operational efficiency. Creating custom session host images enables administrators to deploy standardized virtual desktops that include preconfigured operating system settings, corporate applications, security baselines, and optimizations, significantly reducing deployment time while ensuring a consistent user experience. Please see Veeam Agent for Windows: VSS Error Caused by Old SQL Server References.
Azure Image Builder provides a fully managed service for automating the creation, customization, validation, and distribution of virtual machine images. By integrating Azure Image Builder with Azure Compute Gallery, organizations can build reusable golden images that simplify the lifecycle management of Azure Virtual Desktop session hosts, improve deployment scalability, and reduce administrative overhead.
In this lab, you will learn how to create a customized Azure Virtual Desktop session host image using Azure Image Builder Templates. You will configure the required Azure resources, assign the appropriate permissions, create and customize an image template, build a production-ready image, and finally deploy Azure Virtual Desktop session hosts based on the newly created custom image.
By the end of this exercise, you will understand how to automate image creation and implement a repeatable image management process that aligns with Azure best practices for enterprise virtual desktop environments.
Also, see Azure Virtual Desktop: Autoscaling Implementing and Monitoring Session Hosts [Part 05], and how to implement Azure Private Link for Azure Virtual Desktop [Part 06].
Guide Objectives
After completing this lab, you will be able to:
- Register the required Azure resource providers.
- Create a User-Assigned Managed Identity for Azure Image Builder.
- Configure a custom Azure RBAC role with the required permissions.
- Assign permissions to the resources involved in image provisioning.
- Create an Azure Compute Gallery and define a custom image definition.
- Build an Azure Image Builder template.
- Generate a customized Azure Virtual Desktop session host image.
- Deploy Azure Virtual Desktop session hosts using the custom image.
This guide demonstrates a practical and scalable approach to managing Azure Virtual Desktop images, helping administrators automate deployments, maintain image consistency, and streamline future updates across their virtual desktop infrastructure.
Before creating a custom Azure Virtual Desktop image template, several prerequisites must be completed. These include registering the required Azure resource providers, creating a User-Assigned Managed Identity, assigning the necessary permissions through a custom Azure RBAC role, and, if the image will be distributed using Azure Compute Gallery, creating both the gallery and an image definition.
These components provide the required identity, access control, and image repository needed for Azure Image Builder to successfully create and distribute custom session host images
- Provision a User-Assigned Managed Identity
Search for Managed Identities, open the service, and select Create to begin provisioning a new User-Assigned Managed Identity.

| Setting | Value |
|---|---|
| Subscription | XXX-XX-XXX |
| Resource group | XXX-XX-RG |
| Region | East US |
| Name | XXXXX-XXXX-uami |


Complete the required settings and then select “Review + create”.
- Create a custom role in Azure Role-Based Access Control (RBAC)
Start a PowerShell session in Azure Cloud Shell from the Azure portal, then retrieve the subscription ID using Get-AzSubscription and store it in the $subscriptionId variable. Next, create the custom role definition including the assignable scope and save it in the $jsonContent variable, replacing the placeholder with the previously identified value.
$subscriptionId = (Get-AzSubscription).Id
$jsonContent = @"{"Name": "Desktop Virtualization Image Creator (******************************)","IsCustom": true,"Description": "Create custom image templates for Azure Virtual Desktop images.","Permissions": [ { "Actions": [ "Microsoft.Compute/galleries/read", "Microsoft.Compute/galleries/images/read", "Microsoft.Compute/galleries/images/versions/read", "Microsoft.Compute/galleries/images/versions/write", "Microsoft.Compute/images/write", "Microsoft.Compute/images/read", "Microsoft.Compute/images/delete" ], "NotActions": [], "DataActions": [], "NotDataActions": [] }],"AssignableScopes": [ "/subscriptions/$subscriptionId", "/subscriptions/$subscriptionId/resourceGroups/XXXX-XXX-RG"]}"@
Save the content of the $jsonContent variable to a file named CustomRole.json, then run the command to create the custom role from that file.
$jsonContent | Out-File -FilePath 'CustomRole.json'
New-AzRoleDefinition -InputFile ./CustomRole.json


Close the Azure Cloud Shell pane.
Also, see Azure Virtual Desktop: Manage Azure Virtual Desktop host pools and session hosts using the Azure portal [Part 02], Azure Virtual Desktop: How to set Up Azure Virtual Desktop Insights Monitoring [Part 03], and Azure Virtual Desktop: Connect to Session Hosts Using Entra ID [Part 04].
Configure permissions for host image provisioning resources
In the Azure portal, navigate to Resource groups, select XXX-XXXX-RG, then go to Access control (IAM). From there, click + Add and choose Add role assignment.

On the Add role assignment page, select the Desktop Virtualization Image Creator role under Job function roles (using the same custom role identifier as previously defined), then proceed to Next. In the Members tab, choose Managed identity, click + Select members, and select User-assigned managed identity from the Managed identity list.

Select the XXXX-random-uami user-assigned managed identity (using the same placeholder value as previously defined), then click Select. Finally, on the Members tab, choose Review + assign to complete the role assignment.

On the Review + assign tab, click Review + assign to finalize the configuration.



Create an Azure Compute Gallery instance and define a new image definition within it.
In the Azure portal, go to Azure Compute Galleries and select + Create. On the Basics tab of the Create Azure Compute Gallery page, configure the required settings (including the sharing method), then proceed by selecting Next.

| Setting | Value |
|---|---|
| Subscription | XXX-XXX-XXXX |
| Resource group | XX-XXb-RG |
| Name | XXXXXXXcomputergallery |
| Region | East US |

On the Sharing tab, keep the default Role-based access control (RBAC) option selected, then proceed to Review + create. On the final page, select Create and wait for the deployment to complete (typically under 1 minute).


In the Azure portal, go to Azure Compute Galleries and select az14015computegallery from the list.

On the XXXXX15computegallery page, select + Add and then choose + VM image definition from the dropdown menu.

On the Basics tab of the Create VM image definition page, enter the required settings (leaving all other options at their defaults), then proceed by selecting Next: Version.
| Setting | Value |
|---|---|
| Region | East US |
| VM image definition name | XXXXXXXXXimageDefinition |
| OS type | Windows |
| Security type | Trusted launch supported |
| OS state | Generalized |
| Publisher | MicrosoftWindowsDesktop |
| Offer | Windows-11 |
| SKU | win11-23h2-avd-m365 |

The VM generation is automatically set to Gen2 because Gen1 virtual machines are not supported with Trusted launch and Confidential security.

On the Version tab of the Create VM image definition page, leave all settings at their defaults and proceed by selecting Next: Publishing options.
The VM image version is not created at this stage, because it will be generated later by Azure Virtual Desktop during the provisioning process.


On the Publishing options tab of the Create VM image definition page, leave all settings unchanged and proceed to Review + create.
On the final tab, select Create to start provisioning the VM image definition.

Wait for the re-registration process to complete; this typically takes less than 1 minute.

Please see Azure Virtual Desktop: Deploy host pools and session hosts in the Azure [Part 01], Disaster Recovery Test Checklist: What to Capture Before You Start, and Upgrading Azure AD Connect to Microsoft Entra Connect Sync.
Create a custom image template for the image build process.
In the Azure portal, go to Azure Virtual Desktop, then under Manage, select Custom image templates. On the Custom image templates page, click + Add custom image template.

On the Basics tab of the Create custom image template page, enter the required settings, ensuring that the Managed identity value uses the same random placeholder identified earlier in the exercise. Then select Next.
| Setting | Value |
|---|---|
| Name | XXXXXXXXX-imagetemplate |
| Import from existing template | No |
| Subscription | XXX-XXXX-XXXX |
| Resource group | XXX-XXX-RG |
| Location | East US |
| Managed identity | XXX-XXXX-uami |

On the Source image tab of the Create custom image template page, configure the required settings and proceed by selecting Next.
| Setting | Value |
|---|---|
| Source type | Platform image (marketplace) |
| Select image | Windows 11 Enterprise multi-session, Version 23H2 + Microsoft 365 Apps – Gen 2 |

On the Distribution targets tab of the Create custom image template page, configure the required settings (leaving all other values as default) and then select Next.
| Setting | Value |
|---|---|
| Azure Compute Gallery | Enabled |
| Gallery name | XXXXXXXcomputegallery |
| Gallery image definition | XXXXXXXXXXimagedefinition |
| Gallery image version | 1.0.0 |
| Run output name | XXX-XXXX-image-1.0.0 |
| Replication regions | East US |
| Exclude from latest | No |
| Storage account type | Standard_LRS |
The Replication regions setting enables multi-region image builds, while setting Exclude from latest = Yes prevents the image version from being automatically used when “latest” is specified in the ImageReference during VM creation.

On the Build properties tab of the Create custom image template page, configure the required settings, leave all other values at their defaults, and then select Next.
| Setting | Value |
| Build timeout | 120 |
| Build VM size | Standard_DC2s_v3 |
| OS disk size (GB) | 127 |
| Staging group | XXX-XXX-RG |
| VNet | leave not set |
The staging group temporarily holds resources and build logs (auto-created if not specified). If VNet is not set, Azure creates a temporary VNet and public IP for the build VM.
Ensure sufficient vCPU quota for the selected build VM size, or choose a smaller size/request an increase.

On the Customization tab, add built-in scripts by selecting:
- Time zone redirection
- Disable Storage Sense
- Enable screen capture protection (Block screen capture on client and server)
Then click Save. Custom scripts can also be added manually if needed, using built-in examples as references.


Back on the Customization tab of the Create custom image template page, select Next.

On the Tags tab, select Next, then on the Review + create tab, click Create.
Wait a few minutes for the template to be created, and refresh the Custom image templates page to check its status.

Please see PCI Driver Error: Connection to Deployment Share could not be made, Steps to Fix the “Invalid OS GUID” Error in MDT, and Faulting SecHealthUI: Resolve Windows Defender Notification.
Build a custom image
Select the custom image template (XXXX-XXxb-imagetemplate) in Azure Virtual Desktop and start the build by clicking Start build.
Monitor the Build run state, refreshing the page periodically. The status will progress from Running – Building to Running – Distributing, and finally to Succeeded (may take up to ~45 minutes).
During the process, the staging resource group XXX-XXXc-RG is automatically populated with temporary resources such as a VM, VNet, NSG, Key Vault, snapshot, container instance, and storage account.

In the Azure portal, go to Resource groups, open az140-15c-RG, and review the Resources section to observe the automatically provisioned build resources.

Return to the XXXX-XXb-imagetemplate page and monitor the build progress.
Alternatively, use the Activity Log to track the operation “Execute a VM image template to produce its output”.


Its status will change from Accepted to Succeeded as the build completes.

Once the build is complete, go to Azure Compute Galleries in the Azure portal and open XXXXxcomputegallery.
In the Definitions tab, select XXXXXimagedefinition, then open the Versions tab to review details of the 1.0.0 (latest) image version.

Please see How to Update Your AMD Radeon Display Adapter Driver, how to fix VMware and HyperV are not compatible, and What are the different types of DNS Records.
Provision session hosts using a custom image
As an optional step, you can begin the initial process of deploying Azure Virtual Desktop session hosts using the custom image you created.
In the Azure portal, go to Virtual networks and select Create + to start creating a new virtual network.

On the Basics tab of the Create virtual network page, enter the required settings and then select Next to continue.
| Setting | Value |
|---|---|
| Subscription | XXX-XXXX-XXXX |
| Resource group | Create a new resource group XXX-XXd-RG |
| Virtual network name | XXXX-vnetXXd |
| Region | East US |


On the Security tab, leave all default settings unchanged and select Next to continue.


Select the edit (pencil) icon next to the default subnet. In the Edit subnet pane, update the required settings (keeping all other values unchanged) and select Save.
| Setting | Value |
|---|---|
| Name | hpX-Subnet |
| Starting address | 10.30.X.0 |
| Enable private subnet (no default outbound access) | Disabled |



Go back to the IP addresses tab, then select Review + create and click Create.
Wait for the virtual network provisioning to complete (usually under 1 minute).

In the Azure portal, go to Azure Virtual Desktop, then under Manage select Host pools. On the Host pools page, click + Create to start creating a new host pool.

On the Basics tab of the Create a host pool page, configure the required settings (leaving all others at default), then select Next: Session hosts to continue.
| Setting | Value |
| Subscription | XXX-XXX-XXX |
| Resource group | XXX-XXd-RG |
| Host pool name | XXX-XX-hp1 |
| Location | East US |
| Validation environment | No |
| Preferred app group type | Desktop |
| Host pool type | Pooled |
| Load balancing algorithm | Breadth-first |
Correct statement:
When using the Breadth-first load balancing algorithm in Azure Virtual Desktop, the maximum session limit is optional and only needs to be configured if you want to restrict the number of sessions per session host.


On the Session Hosts tab of the Create a host pool page, configure the required settings and leave all other options at their default values before proceeding to the next step.
| Setting | Value |
|---|---|
| Add virtual machines | Yes |
| Resource group | Defaulted to same as host pool |
| Name prefix | sh0XXXX |
| Virtual machine type | Azure virtual machine |
| Virtual machine location | East US |
| Availability options | No infrastructure redundancy required |
| Security type | Trusted launch virtual machines |

On the Session Hosts tab of the Create a host pool page, under the Image drop-down list, select See all images.

On the Select an image page, choose Shared images, then select XXXXXimagedefinition from the list of available images.

Return to the Session Hosts tab of the Create a host pool page, configure the required settings (leaving all other options at default), then select Next: Workspace to continue.
| Setting | Value |
|---|---|
| Virtual machine size | Standard DCX_v3 |
| Number of VMs | 1 |
| OS disk type | Standard SSD |
| OS disk size | Default size |
| Boot Diagnostics | Enable with managed storage account (recommended) |
| Virtual network | XXXX-vnetXXd |
| Subnet | hpX-Subnet |
| Network security group | Basic |
| Public inbound ports | No |
| Select which directory you would like to join | Microsoft Entra ID |
| Enroll VM with Intune | No |
| User name | Link State |
| Password | ******** |
| Confirm password | ******** |


Enter a username and password as shown below

On the Workspace tab of the Create a host pool page, verify the settings (leaving defaults unchanged) and then select Review + create to proceed.
| Setting | Value |
| Register desktop app group | No |

On the Review + create tab of the Create a host pool page, select Create. Wait for the deployment to finish; this may take approximately 10–15 minutes.

Thanks everyone, and see you in the next guide! 🙂
This is the final part of this guide covering Azure Virtual Desktop technology. I hope it has been helpful and clear. Feel free to leave a comment with any feedback or questions.