Microsoft Study Guide

AZ-140: Microsoft Azure Virtual Desktop Specialty Study Guide

AZ-140: Microsoft Azure Virtual Desktop Specialty validates your ability to plan, deploy, secure, and manage Azure Virtual Desktop (AVD) environments and published remote apps for any device. It targets administrators and platform engineers who design host pools, configure identity and FSLogix profiles, deliver applications, and monitor session host health. The exam is 120 minutes with a passing score of 700.

Domain 1 Domain 2 Domain 3 Domain 4

Practice AZ-140 questions free Create free account

Domain 1: Plan and Implement an Azure Virtual Desktop Infrastructure

Key concepts you must know · 338 practice questions

Pooled host pools share session host VMs across many users (best for cost when users run the same apps); personal host pools assign one dedicated VM per user.
Load-balancing algorithms for pooled pools: breadth-first spreads sessions across hosts for performance, while depth-first packs sessions onto each host before using the next to maximize density and cut cost.
A single host pool can publish both a Desktop application group (full desktop) and a RemoteApp application group (individual apps), but a given user can be assigned to only one application group type per host pool.
Windows 11/10 Enterprise multi-session allows multiple concurrent users on one VM; single-session SKUs (Windows 11 Enterprise) serve one user at a time and are used for personal pools.
FSLogix profile containers require SMB storage: Azure Files (Standard transaction-optimized or Premium) or Azure NetApp Files, which gives sub-millisecond latency for high-concurrency workloads.
For Entra-ID-joined session hosts with no on-premises AD, use Microsoft Entra ID Kerberos authentication so Entra-joined VMs can request Kerberos tickets to mount the Azure Files SMB share.
Azure Compute Gallery (formerly Shared Image Gallery) manages custom golden images with versioning and multi-region replication; generalize the image with Sysprep using the Generalize option before capture.
Connect AVD VNets to on-premises resources via VNet peering to a hub VNet containing a VPN Gateway or ExpressRoute Gateway.
RDP Shortpath establishes a direct UDP path between client and session host (over private network or public network with STUN/TURN), reducing latency versus the default TCP reverse-connect transport.
Force outbound traffic through Azure Firewall with a User-Defined Route (UDR) carrying a default route 0.0.0.0/0 that points to the firewall's private IP.
Azure Files Standard shares default to a per-share limit (~5 TiB / ~1,000 IOPS); enabling large file shares raises capacity to 100 TiB and increases the per-share IOPS ceiling.
RDP device redirection (clipboard, drives, printers) is controlled in the host pool RDP properties; clipboard direction can be set to 'Client to remote', 'Remote to client', or bidirectional.
Set a session host to drain mode to stop new connections while letting existing sessions finish, enabling graceful maintenance without disrupting active users.
For multi-region or DR, create separate host pools per region and route users via application group assignment; combine with Azure Site Recovery for session host VMs and replicated FSLogix profiles.

Domain 2: Plan and Implement Identity and Security

Key concepts you must know · 260 practice questions

Enforce MFA for AVD with a Conditional Access policy targeting the Azure Virtual Desktop cloud app (app ID 9cdead84-a844-4324-93f2-b2e6bb768d07), which challenges users at the feed/connection stage.
Enable single sign-on (SSO) to carry the authenticated session to the session host; this requires one-time admin consent for the Microsoft Remote Desktop and Windows Cloud Login service principals.
Microsoft Remote Desktop client app ID is a4a365df-50f1-4397-bc59-1a1564b8bb9c; both it and the AVD app are referenced when scoping Conditional Access or configuring SSO consent.
Restrict access to managed devices using a Conditional Access grant control 'require device to be marked as compliant' (evaluated by Intune) targeting the AVD cloud app.
Use the Locations condition with named locations (corporate IP ranges) in Conditional Access to allow or block sign-ins based on network location.
Key built-in RBAC roles: Desktop Virtualization Contributor (full AVD management), Desktop Virtualization User (end-user app group access), Desktop Virtualization Application Group Contributor (assign users to app groups only), and Desktop Virtualization User Session Operator (manage user sessions: message, disconnect, log off).
Session hosts need outbound HTTPS to the AVD control plane (*.wvd.microsoft.com) to register agents and broker reverse-connect sessions, plus Azure Monitor/agent endpoints for health.
Azure Firewall application rules filter outbound traffic by FQDN/URL (SNI/HTTP inspection) - something NSGs cannot do - to permit only AVD-required and approved destinations.
Entra-ID join with Intune enrollment is the cloud-native management path for session hosts; hybrid Entra join is used when on-premises AD DS is still required.
Enable Entra-based authentication on the host pool RDP property 'enablerdsaadauth:i:1' to allow Entra ID credentials at the session host.
Azure Files SMB shares for FSLogix must use identity-based auth - Microsoft Entra ID Kerberos or AD DS authentication - or mounts will fall back to the storage account key and break NTFS-based permissions.
Set share-level RBAC (e.g., Storage File Data SMB Share Contributor) plus NTFS permissions; configure NTFS by mounting the share on a domain-joined machine with the storage key and using icacls or Explorer.
Harden session hosts with Microsoft Defender for Cloud: Just-in-Time (JIT) VM access limits management port exposure and adaptive application controls allowlist approved apps.
Onboard Windows 10/11 multi-session hosts to Microsoft Defender for Endpoint using the multi-session onboarding script deployed via Intune or Group Policy.

Domain 3: Plan and Implement User Environments and Apps

Key concepts you must know · 259 practice questions

MSIX app attach delivers apps without baking them into the image: package as MSIX, expand into a VHD/VHDX/CimFS image with msixmgr, store on an SMB share, then add the package to the host pool.
CimFS (Composite Image File System) is the recommended modern container format for MSIX app attach images, offering better performance and lower overhead than VHD/VHDX.
FSLogix Profile Container roams the full user profile (including Outlook OST and search index) in a VHD/VHDX; VHDLocations is set under HKLM\SOFTWARE\FSLogix\Profiles to the UNC path of the share.
FSLogix Office Container (ODFC) splits large Microsoft 365 cache data (Outlook OST, OneDrive cache, Teams data, search index) into a separate container so it can use its own storage tier and capacity.
Use FSLogix redirections.xml to exclude or redirect specific folders (such as Downloads or browser cache) out of the profile container to control profile size.
Optimize Microsoft Teams in AVD by installing the Teams desktop client plus the Remote Desktop WebRTC Redirector Service, which offloads audio/video processing to the local client device.
Multimedia Redirection (MMR) offloads video rendering from the session host to the client, lowering host CPU usage and improving playback quality.
Publish individual apps with a RemoteApp application group, adding each app by its executable path; the app window appears integrated on the user's local desktop.
OneDrive in AVD should use Files On-Demand with Known Folder Move, paired with an FSLogix Office Container for the OneDrive cache, to avoid downloading full content into the profile.
AVD licensing: per-user access pricing covers external users across devices, while internal users are entitled via Windows 10/11 Enterprise E3/E5, Microsoft 365 E3/E5/F3/A3/A5, or Windows VDA.
Universal Print is a cloud print solution that removes on-premises print servers and per-host drivers; non-Universal-Print-ready printers require a Universal Print connector on a Windows machine.
Install required language packs and language experience features in the golden image before running Sysprep and capturing, so all users get consistent localization.
MSIX app attach prerequisites: hosts run Windows 10/11 Enterprise multi-session or Windows 11 Enterprise, and packages are MSIX stored in VHD, VHDX, or CIM format on an SMB share.
FSLogix Cloud Cache can replicate profile containers across multiple storage providers/regions for high availability, at the cost of additional write overhead.

Domain 4: Monitor and Maintain an AVD Infrastructure

Key concepts you must know · 273 practice questions

Azure Virtual Desktop Insights, built on Azure Monitor and Log Analytics, is the purpose-built dashboard for host pool performance, connection quality, and FSLogix profile diagnostics.
AVD Insights requires the Azure Monitor Agent (AMA) on each session host plus a Data Collection Rule (DCR) defining which performance counters and event logs to send to the Log Analytics workspace.
Key health metrics to track include average user input delay per session host (responsiveness) and available memory (MB); high input delay or low memory signals an over-loaded host.
The WVDCheckpoints table in Log Analytics records FSLogix profile load timing, letting you measure sign-in/profile mount duration.
An 'Unavailable' session host usually means the VM is stopped or the AVD agent / side-by-side (SxS) stack is unhealthy; first verify the VM is running and those services are healthy.
Create custom Azure Monitor alert rules on host pool metrics (for example, active sessions exceeding 90% of the max session limit) and notify via action groups.
Use Azure Update Manager (formerly Update Management) to schedule maintenance windows and patch session hosts in batches with controlled reboot behavior.
Image update workflow: set existing hosts to drain mode, deploy new hosts from the updated image, then remove the old hosts to avoid disrupting active sessions.
Automate host lifecycle with Azure Automation runbooks or ARM/Bicep templates that query host creation dates, drain old hosts, deploy replacements from the latest image, and remove stale hosts.
AVD autoscale (scaling plans) automatically powers session hosts on/off by schedule and load; schedule updates during off-peak ramp-down windows when most hosts are already drained.
Manage capacity by tuning the max session limit per host and adding hosts, balancing user density (depth-first) against per-user performance (breadth-first).
Use Group Policy or Intune to set session time limits - idle, disconnected, and active session timeouts, plus the action to take (disconnect or log off) - to reclaim resources.
High latency or poor user experience often stems from users being far from the AVD region; remediate by deploying hosts in a closer region or enabling RDP Shortpath.
Monitor FSLogix storage health with Azure Files IOPS and latency metrics in Azure Monitor; storage throttling is a common cause of slow profile loads, and session host VM compute is the dominant AVD cost.

AZ-140 exam tips

Memorize the Desktop Virtualization RBAC roles and exactly what each grants - questions frequently ask for the least-privilege role to assign users to app groups (Application Group Contributor) or to manage sessions (User Session Operator).
Know the MFA + SSO pattern cold: a Conditional Access policy on the Azure Virtual Desktop cloud app enforces MFA, and enabling SSO (with service principal consent) stops the second credential prompt at the host.
When a scenario gives Entra-ID-joined (not hybrid) hosts, default to cloud-native answers: Entra ID Kerberos for Azure Files, Intune for management, and Entra-based RDP auth (enablerdsaadauth:i:1).
For storage and profile questions, match the requirement to the option: lowest latency / high concurrency points to Azure NetApp Files; large Office cache points to a separate FSLogix Office Container (ODFC).
For maintenance scenarios, the safe answer almost always involves drain mode plus deploying new hosts from an updated image - never patch or rebuild hosts that still have active user sessions.

Study guide FAQ

What is the difference between a pooled and a personal host pool, and when do I choose each?

A pooled host pool shares session host VMs among many users, making it the cost-effective choice when users run the same applications (call centers, knowledge workers); it supports breadth-first or depth-first load balancing. A personal host pool assigns each user a dedicated VM, used when users need persistent state, local admin rights, or specialized/heavy workloads.

How do FSLogix Profile Container and Office Container differ?

The Profile Container roams the entire user profile (registry, AppData, settings) in a single VHD/VHDX on SMB storage. The Office Container (ODFC) carves out the large Microsoft 365 cache - Outlook OST, OneDrive cache, Teams data, and the search index - into a separate container so it can sit on a different storage tier with independent capacity. You can use them together, but avoid double-handling the same data in both.

What does MSIX app attach require and what are its main steps?

Hosts must run Windows 10/11 Enterprise multi-session or Windows 11 Enterprise, and apps must be packaged as MSIX stored in VHD, VHDX, or CimFS on an SMB share. The flow is: package the app as MSIX with the MSIX Packaging Tool, expand it into a disk image with msixmgr, place the image on the file share, then add the MSIX package to the host pool and assign it. This delivers apps dynamically without modifying the golden image.

How do I make Microsoft Teams and video perform well in AVD?

Install the Teams desktop client plus the Remote Desktop WebRTC Redirector Service on the session hosts and enable Teams media optimization, which offloads audio/video processing to the local client device instead of the host. For browser/streamed video, enable Multimedia Redirection (MMR) to render video on the client. Both reduce session host CPU and improve quality.

Test yourself: 1,130 AZ-140 practice questions