Skip to content

TechDirectArchive

Hands-on IT, Cloud, Security, Veeam & DevOps

  • Home
  • About
  • Advertise With US
  • Reviews
  • Contact
  • Toggle search form

Azure Virtual Desktop: Build Custom Session Host Images Using Image Builder Templates [Part 07]

Posted on 04/07/202605/07/2026 Link State By Link State No Comments on Azure Virtual Desktop: Build Custom Session Host Images Using Image Builder Templates [Part 07]
  1. Home
  2. AWS/Azure/OpenShift
  3. Azure Virtual Desktop: Build Custom Session Host Images Using Image Builder Templates [Part 07]

In enterprise Azure Virtual Desktop (AVD) deployments, standard marketplace images are often insufficient to meet organizational requirements for security, compliance, application consistency, and operational efficiency. Creating custom session host images enables administrators to deploy standardized virtual desktops that include preconfigured operating system settings, corporate applications, security baselines, and optimizations, significantly reducing deployment time while ensuring a consistent user experience. Please see Veeam Agent for Windows: VSS Error Caused by Old SQL Server References.

Azure Image Builder provides a fully managed service for automating the creation, customization, validation, and distribution of virtual machine images. By integrating Azure Image Builder with Azure Compute Gallery, organizations can build reusable golden images that simplify the lifecycle management of Azure Virtual Desktop session hosts, improve deployment scalability, and reduce administrative overhead.

In this lab, you will learn how to create a customized Azure Virtual Desktop session host image using Azure Image Builder Templates. You will configure the required Azure resources, assign the appropriate permissions, create and customize an image template, build a production-ready image, and finally deploy Azure Virtual Desktop session hosts based on the newly created custom image.

By the end of this exercise, you will understand how to automate image creation and implement a repeatable image management process that aligns with Azure best practices for enterprise virtual desktop environments.

Also, see Azure Virtual Desktop: Autoscaling Implementing and Monitoring Session Hosts [Part 05], and how to implement Azure Private Link for Azure Virtual Desktop [Part 06].

Guide Objectives

After completing this lab, you will be able to:

  • Register the required Azure resource providers.
  • Create a User-Assigned Managed Identity for Azure Image Builder.
  • Configure a custom Azure RBAC role with the required permissions.
  • Assign permissions to the resources involved in image provisioning.
  • Create an Azure Compute Gallery and define a custom image definition.
  • Build an Azure Image Builder template.
  • Generate a customized Azure Virtual Desktop session host image.
  • Deploy Azure Virtual Desktop session hosts using the custom image.

This guide demonstrates a practical and scalable approach to managing Azure Virtual Desktop images, helping administrators automate deployments, maintain image consistency, and streamline future updates across their virtual desktop infrastructure.

Before creating a custom Azure Virtual Desktop image template, several prerequisites must be completed. These include registering the required Azure resource providers, creating a User-Assigned Managed Identity, assigning the necessary permissions through a custom Azure RBAC role, and, if the image will be distributed using Azure Compute Gallery, creating both the gallery and an image definition.

These components provide the required identity, access control, and image repository needed for Azure Image Builder to successfully create and distribute custom session host images

  • Provision a User-Assigned Managed Identity

Search for Managed Identities, open the service, and select Create to begin provisioning a new User-Assigned Managed Identity.

SettingValue
SubscriptionXXX-XX-XXX
Resource groupXXX-XX-RG
RegionEast US
NameXXXXX-XXXX-uami

Complete the required settings and then select “Review + create”.

  • Create a custom role in Azure Role-Based Access Control (RBAC)

Start a PowerShell session in Azure Cloud Shell from the Azure portal, then retrieve the subscription ID using Get-AzSubscription and store it in the $subscriptionId variable. Next, create the custom role definition including the assignable scope and save it in the $jsonContent variable, replacing the placeholder with the previously identified value.

$subscriptionId = (Get-AzSubscription).Id
$jsonContent = @"
{
"Name": "Desktop Virtualization Image Creator (******************************)",
"IsCustom": true,
"Description": "Create custom image templates for Azure Virtual Desktop images.",
"Permissions": [
{
"Actions": [
"Microsoft.Compute/galleries/read",
"Microsoft.Compute/galleries/images/read",
"Microsoft.Compute/galleries/images/versions/read",
"Microsoft.Compute/galleries/images/versions/write",
"Microsoft.Compute/images/write",
"Microsoft.Compute/images/read",
"Microsoft.Compute/images/delete"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": []
}
],
"AssignableScopes": [
"/subscriptions/$subscriptionId",
"/subscriptions/$subscriptionId/resourceGroups/XXXX-XXX-RG"
]
}
"@

Save the content of the $jsonContent variable to a file named CustomRole.json, then run the command to create the custom role from that file.

$jsonContent | Out-File -FilePath 'CustomRole.json'
New-AzRoleDefinition -InputFile ./CustomRole.json

Close the Azure Cloud Shell pane.

Also, see Azure Virtual Desktop: Manage Azure Virtual Desktop host pools and session hosts using the Azure portal [Part 02], Azure Virtual Desktop: How to set Up Azure Virtual Desktop Insights Monitoring [Part 03], and Azure Virtual Desktop: Connect to Session Hosts Using Entra ID [Part 04].

Configure permissions for host image provisioning resources

In the Azure portal, navigate to Resource groups, select XXX-XXXX-RG, then go to Access control (IAM). From there, click + Add and choose Add role assignment.

On the Add role assignment page, select the Desktop Virtualization Image Creator role under Job function roles (using the same custom role identifier as previously defined), then proceed to Next. In the Members tab, choose Managed identity, click + Select members, and select User-assigned managed identity from the Managed identity list.

Select the XXXX-random-uami user-assigned managed identity (using the same placeholder value as previously defined), then click Select. Finally, on the Members tab, choose Review + assign to complete the role assignment.

On the Review + assign tab, click Review + assign to finalize the configuration.

Create an Azure Compute Gallery instance and define a new image definition within it.

In the Azure portal, go to Azure Compute Galleries and select + Create. On the Basics tab of the Create Azure Compute Gallery page, configure the required settings (including the sharing method), then proceed by selecting Next.

SettingValue
SubscriptionXXX-XXX-XXXX
Resource groupXX-XXb-RG
NameXXXXXXXcomputergallery
RegionEast US

On the Sharing tab, keep the default Role-based access control (RBAC) option selected, then proceed to Review + create. On the final page, select Create and wait for the deployment to complete (typically under 1 minute).

In the Azure portal, go to Azure Compute Galleries and select az14015computegallery from the list.

On the XXXXX15computegallery page, select + Add and then choose + VM image definition from the dropdown menu.

On the Basics tab of the Create VM image definition page, enter the required settings (leaving all other options at their defaults), then proceed by selecting Next: Version.

SettingValue
RegionEast US
VM image definition nameXXXXXXXXXimageDefinition
OS typeWindows
Security typeTrusted launch supported
OS stateGeneralized
PublisherMicrosoftWindowsDesktop
OfferWindows-11
SKUwin11-23h2-avd-m365

The VM generation is automatically set to Gen2 because Gen1 virtual machines are not supported with Trusted launch and Confidential security.

On the Version tab of the Create VM image definition page, leave all settings at their defaults and proceed by selecting Next: Publishing options.

The VM image version is not created at this stage, because it will be generated later by Azure Virtual Desktop during the provisioning process.

On the Publishing options tab of the Create VM image definition page, leave all settings unchanged and proceed to Review + create.

On the final tab, select Create to start provisioning the VM image definition.

Wait for the re-registration process to complete; this typically takes less than 1 minute.

Please see Azure Virtual Desktop: Deploy host pools and session hosts in the Azure [Part 01], Disaster Recovery Test Checklist: What to Capture Before You Start, and Upgrading Azure AD Connect to Microsoft Entra Connect Sync.

Create a custom image template for the image build process.

In the Azure portal, go to Azure Virtual Desktop, then under Manage, select Custom image templates. On the Custom image templates page, click + Add custom image template.

On the Basics tab of the Create custom image template page, enter the required settings, ensuring that the Managed identity value uses the same random placeholder identified earlier in the exercise. Then select Next.

SettingValue
NameXXXXXXXXX-imagetemplate
Import from existing templateNo
SubscriptionXXX-XXXX-XXXX
Resource groupXXX-XXX-RG
LocationEast US
Managed identityXXX-XXXX-uami

On the Source image tab of the Create custom image template page, configure the required settings and proceed by selecting Next.

SettingValue
Source typePlatform image (marketplace)
Select imageWindows 11 Enterprise multi-session, Version 23H2 + Microsoft 365 Apps – Gen 2

On the Distribution targets tab of the Create custom image template page, configure the required settings (leaving all other values as default) and then select Next.

SettingValue
Azure Compute GalleryEnabled
Gallery nameXXXXXXXcomputegallery
Gallery image definitionXXXXXXXXXXimagedefinition
Gallery image version1.0.0
Run output nameXXX-XXXX-image-1.0.0
Replication regionsEast US
Exclude from latestNo
Storage account typeStandard_LRS

The Replication regions setting enables multi-region image builds, while setting Exclude from latest = Yes prevents the image version from being automatically used when “latest” is specified in the ImageReference during VM creation.

On the Build properties tab of the Create custom image template page, configure the required settings, leave all other values at their defaults, and then select Next.

SettingValue
Build timeout120
Build VM sizeStandard_DC2s_v3
OS disk size (GB)127
Staging groupXXX-XXX-RG
VNetleave not set

The staging group temporarily holds resources and build logs (auto-created if not specified). If VNet is not set, Azure creates a temporary VNet and public IP for the build VM.

Ensure sufficient vCPU quota for the selected build VM size, or choose a smaller size/request an increase.

On the Customization tab, add built-in scripts by selecting:

  • Time zone redirection
  • Disable Storage Sense
  • Enable screen capture protection (Block screen capture on client and server)

Then click Save. Custom scripts can also be added manually if needed, using built-in examples as references.

Back on the Customization tab of the Create custom image template page, select Next.

On the Tags tab, select Next, then on the Review + create tab, click Create.

Wait a few minutes for the template to be created, and refresh the Custom image templates page to check its status.

Please see PCI Driver Error: Connection to Deployment Share could not be made, Steps to Fix the “Invalid OS GUID” Error in MDT, and Faulting SecHealthUI: Resolve Windows Defender Notification.

Build a custom image

Select the custom image template (XXXX-XXxb-imagetemplate) in Azure Virtual Desktop and start the build by clicking Start build.

Monitor the Build run state, refreshing the page periodically. The status will progress from Running – Building to Running – Distributing, and finally to Succeeded (may take up to ~45 minutes).

During the process, the staging resource group XXX-XXXc-RG is automatically populated with temporary resources such as a VM, VNet, NSG, Key Vault, snapshot, container instance, and storage account.

In the Azure portal, go to Resource groups, open az140-15c-RG, and review the Resources section to observe the automatically provisioned build resources.

Return to the XXXX-XXb-imagetemplate page and monitor the build progress.

Alternatively, use the Activity Log to track the operation “Execute a VM image template to produce its output”.

Its status will change from Accepted to Succeeded as the build completes.

Once the build is complete, go to Azure Compute Galleries in the Azure portal and open XXXXxcomputegallery.

In the Definitions tab, select XXXXXimagedefinition, then open the Versions tab to review details of the 1.0.0 (latest) image version.

Please see How to Update Your AMD Radeon Display Adapter Driver, how to fix VMware and HyperV are not compatible, and What are the different types of DNS Records.

Provision session hosts using a custom image

As an optional step, you can begin the initial process of deploying Azure Virtual Desktop session hosts using the custom image you created.

In the Azure portal, go to Virtual networks and select Create + to start creating a new virtual network.

On the Basics tab of the Create virtual network page, enter the required settings and then select Next to continue.

SettingValue
SubscriptionXXX-XXXX-XXXX
Resource groupCreate a new resource group XXX-XXd-RG
Virtual network nameXXXX-vnetXXd
RegionEast US

On the Security tab, leave all default settings unchanged and select Next to continue.

Select the edit (pencil) icon next to the default subnet. In the Edit subnet pane, update the required settings (keeping all other values unchanged) and select Save.

SettingValue
NamehpX-Subnet
Starting address10.30.X.0
Enable private subnet (no default outbound access)Disabled

Go back to the IP addresses tab, then select Review + create and click Create.

Wait for the virtual network provisioning to complete (usually under 1 minute).

In the Azure portal, go to Azure Virtual Desktop, then under Manage select Host pools. On the Host pools page, click + Create to start creating a new host pool.

On the Basics tab of the Create a host pool page, configure the required settings (leaving all others at default), then select Next: Session hosts to continue.

SettingValue
SubscriptionXXX-XXX-XXX
Resource groupXXX-XXd-RG
Host pool nameXXX-XX-hp1
LocationEast US
Validation environmentNo
Preferred app group typeDesktop
Host pool typePooled
Load balancing algorithmBreadth-first

Correct statement:

When using the Breadth-first load balancing algorithm in Azure Virtual Desktop, the maximum session limit is optional and only needs to be configured if you want to restrict the number of sessions per session host.

On the Session Hosts tab of the Create a host pool page, configure the required settings and leave all other options at their default values before proceeding to the next step.

SettingValue
Add virtual machinesYes
Resource groupDefaulted to same as host pool
Name prefixsh0XXXX
Virtual machine typeAzure virtual machine
Virtual machine locationEast US
Availability optionsNo infrastructure redundancy required
Security typeTrusted launch virtual machines

On the Session Hosts tab of the Create a host pool page, under the Image drop-down list, select See all images.

On the Select an image page, choose Shared images, then select XXXXXimagedefinition from the list of available images.

Return to the Session Hosts tab of the Create a host pool page, configure the required settings (leaving all other options at default), then select Next: Workspace to continue.

SettingValue
Virtual machine sizeStandard DCX_v3
Number of VMs1
OS disk typeStandard SSD
OS disk sizeDefault size
Boot DiagnosticsEnable with managed storage account (recommended)
Virtual networkXXXX-vnetXXd
SubnethpX-Subnet
Network security groupBasic
Public inbound portsNo
Select which directory you would like to joinMicrosoft Entra ID
Enroll VM with IntuneNo
User nameLink State
Password********
Confirm password********

Enter a username and password as shown below

On the Workspace tab of the Create a host pool page, verify the settings (leaving defaults unchanged) and then select Review + create to proceed.

SettingValue
Register desktop app groupNo

On the Review + create tab of the Create a host pool page, select Create. Wait for the deployment to finish; this may take approximately 10–15 minutes.

Thanks everyone, and see you in the next guide! 🙂

This is the final part of this guide covering Azure Virtual Desktop technology. I hope it has been helpful and clear. Feel free to leave a comment with any feedback or questions.

5/5 - (1 vote)

Thank you for reading this post. Kindly share it with others.

  • Share on X (Opens in new window) X
  • Share on Reddit (Opens in new window) Reddit
  • Share on LinkedIn (Opens in new window) LinkedIn
  • Share on Facebook (Opens in new window) Facebook
  • Share on Pinterest (Opens in new window) Pinterest
  • Share on Tumblr (Opens in new window) Tumblr
  • Share on Telegram (Opens in new window) Telegram
  • Share on WhatsApp (Opens in new window) WhatsApp
  • Share on Mastodon (Opens in new window) Mastodon
  • Share on Bluesky (Opens in new window) Bluesky
  • Share on Threads (Opens in new window) Threads
  • Share on Nextdoor (Opens in new window) Nextdoor
AWS/Azure/OpenShift Tags:automate AVD image creation with Image Builder, AVD image template deployment guide, Azure, Azure Compute Gallery AVD image management, Azure Image Builder DevOps integration, Azure Image Builder templates AVD, Azure Virtual Desktop custom session host image, Azure Virtual Desktop image automation, Azure Virtual Desktop image versioning best practices, Azure VM Image Builder configuration, build custom AVD session host images, create golden image Azure Virtual Desktop, customize Windows 11 multi-session image Azure, deploy custom session hosts Azure portal

Post navigation

Previous Post: Veeam Agent for Windows: VSS Error Caused by Old SQL Server References
Next Post: Azure Load Balancer: Configuring for SQL Server Always On Availability Group Listener on Azure Virtual Machines

Related Posts

  • Screenshot 2024 02 09 at 7.34.18 PM
    How to create a Logic App for monitoring tweets AWS/Azure/OpenShift
  • image 26
    Add an EBS volume to AWS EC2 via the AWS Console and CLI AWS/Azure/OpenShift
  • TLS1.2
    Unable to install Azure AD Connect, TLS 1.2 is required: How to enable or disable TLS 1.2 on a Windows Server via the Registry and PowerShell AWS/Azure/OpenShift
  • image 190
    Creating Profiles for your AWS Access Credentials for AWS Toolkit in Visual Studio AWS/Azure/OpenShift
  • Deploy to ACI
    Create Azure Container instance to deploy your image to Azure using Azure CLI AWS/Azure/OpenShift
  • Webp.net resizeimage 5
    How to Improve Website Response Using Traffic Manager AWS/Azure/OpenShift

More Related Articles

Screenshot 2024 02 09 at 7.34.18 PM How to create a Logic App for monitoring tweets AWS/Azure/OpenShift
image 26 Add an EBS volume to AWS EC2 via the AWS Console and CLI AWS/Azure/OpenShift
TLS1.2 Unable to install Azure AD Connect, TLS 1.2 is required: How to enable or disable TLS 1.2 on a Windows Server via the Registry and PowerShell AWS/Azure/OpenShift
image 190 Creating Profiles for your AWS Access Credentials for AWS Toolkit in Visual Studio AWS/Azure/OpenShift
Deploy to ACI Create Azure Container instance to deploy your image to Azure using Azure CLI AWS/Azure/OpenShift
Webp.net resizeimage 5 How to Improve Website Response Using Traffic Manager AWS/Azure/OpenShift

Leave a Reply Cancel reply

You must be logged in to post a comment.

Microsoft MVP

VEEAMLEGEND

vexpert-badge-stars-5

Virtual Background

GoogleNews

Categories

veeaam100

Veeam Vanguard

  • GitLabrunner 1 1
    There has been a runner system failure: failed to start the process exec “pwsh” Containers
  • hgbv
    Graphical Network Simulator: How to install GNS3 on macOS Network | Monitoring
  • blog banner 1
    Reset and reinstall Windows 10 from the cloud and how to recover your Windows 10 when you cannot boot to Windows Windows
  • article 1280x720.78eff5c4
    How to reset your built-in Local Administrator password in Windows 10 Windows Server
  • iscsi
    Install and configure iSCSI Target Server and iSCSI Initiator on a Windows Server Windows Server
  • fhgjk
    Replicating MDT Deployment Share: How to Create a Selection Profile and Link MDT Deployment Shares Windows Server
  • article 1280x720.192a2586 1
    Windows Always On VPN (AOVPN) Overview and Requirements Windows Server
  • Featured image WSL2 installation
    How to install WSL2 on Windows Server Linux

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,785 other subscribers
  • RSS - Posts
  • RSS - Comments
  • About
  • Authors
  • Write for us
  • Advertise with us
  • General Terms and Conditions
  • Privacy policy
  • Feedly
  • Telegram
  • Youtube
  • Facebook
  • Instagram
  • LinkedIn
  • Tumblr
  • Pinterest
  • Twitter
  • mastodon

Tags

Active Directory Azure Bitlocker Microsoft Windows PowerShell WDS Windows 10 Windows 11 Windows Deployment Services Windows Server 2016

Copyright © 2025 TechDirectArchive

Loading Comments...

You must be logged in to post a comment.