There are many things that IT consultants love to throw around “It Depends.” I’m here to tell you it does “not depend” when it comes to images. I had some wins, and some fails in 2025 around my Nerdio/AVD projects, which is why I’m writing this. Don’t make my mistakes and do it better overall.

Today, we will discuss:

• What exactly are AVD Desktop Images?
• Different flavors of AVD Desktop images
• Designing an Imaging Strategy for AVD
• Creating AVD Desktop Images in Nerdio

What Exactly are AVD Desktop Images

So, we hear the “word” image all the time. Sure, if you’re a VCDX or very experienced person you know all about images. Most people aren’t.

Before we discuss images, let’s discuss what a “VHD” or Virtual Hard Disk is. A VHD is a publicly available image format spec, which lets you take a hard disk and put it into an individual file. The OS can then use that disk like any other physical hard disk.

You can host native file systems, while still supporting standard disk and file operations via the VHD API. When you use that API to create the VHD, you can use that virtual disk as a boot disk as well. Hyper-V does this under the covers today. The Windows SDK integrates Native VHD support, which makes it easy for devs and admins to work with Windows images in VHD.

VHDs are central to the entire desktop image process, which is why we mention it. If you want to nerd out on VHDs, you can read more about it here.

An image is a copy of a virtual machine (VM) or sometimes just the operating system disk drive. Images are used to create VMs by capturing a copy of the VHDs in the image to create brand new disks attached to the new VM.

Next, we will discuss the different types of images in Azure.

Different Flavors of AVD Desktop Images

We have two main types of images inside of Azure:

• Azure Marketplace VM Images
• Azure Custom Images

Now, we will cover these two different types so you have a general idea of what they are exactly, before we move on.

Azure Marketplace VM Images

An Azure Marketplace image has different attributes:

• Publisher (e.g. the org who created the image)
• Offer (group name of related images creates by a publisher)
• SKU (the instance of that offer e.g. 24H2)
• Version (the version number of an image SKU)

We can explore each of these with the Azure shell.

When we use this code:

Get-AzVMImagePublisher -Location "East US"

It will spit out a list of their names, locations, and Ids

Now, we want to check out the Offers, which we do with this code:

Get-AzVMImageOffer -Location "East US" -PublisherName MicrosoftWindowsDesktop

You can see below, now we can see various offers for Windows Desktop:

Next, we move onto looking for the right SKU:

Get-AzVMImageSku -Location "East US" -PublisherName MicrosoftWindowsDesktop -Offer windows-11

As you can see, this gives us the various permutations of Windows 11. You can see the skus from 21h2 up to 25h2.

Just for clarity, these are what the various types are:

• AVD: Multi-session Image SKU
• ENT: Enterprise Edition
• ENTN: Enterprise N Edition (Europe)
• PRO-ZH-CN (Pro Edition, Chinese (Simplified)

You could now in theory deploy a VM like this for multi-session.

New-AzVM `

  -ResourceGroupName "rg-avd" `

  -Name "avd-sessionhost-01" `

  -Location "eastus" `

  -Size "Standard_D8s_v5" `

  -Credential $cred `

  -Image "MicrosoftWindowsDesktop:windows-11:win11-24h2-avd:latest"

Alternatively, you can do the same thing from the GUI:

Overall, this was to give you some of the building blocks you will want to understand when building images.

Azure Custom VM Images

Azure Custom images are exactly what they sound like. The idea is that you create a Virtual Machine like we did in the previous section, but you “customize” it! I know super complicated. I wrote about this a few years ago here for Windows 365.

The steps are at a high-level:

• Build the VM with a marketplace template
• RDP to the VM or get there however you’re getting there.
• Install apps you want in the custom image.
• Run whatever configurations you want
• Run my friend WDOT (Windows Desktop Optimization Tool)
• SysPrep and Capture the image

So, it’s a bunch of steps right? It sure is, which can be a little bit annoying. Custom images are the lifeblood of many organizations. Now, you do have a multitude of options, which we will discuss later, but many people default to imaging as it’s been the standard for YEARS.

Overall, it’s easy to see why image capture is often difficult and time-consuming. In certain scenarios, customers are basically building newly patched images and having to roll them out to all of their pools, which becomes a very long and grueling exercise.

Designing an Imaging Strategy for AVD

Before we go too deep into things we should discuss the reality. You have many different ways to solve imaging. It’s not that any idea is bad, but some ideas are actually bad. Yeah, you saw what I did there. A few of the ways you can attack imaging are:

• Generic Imaging
• Imaging with FSLogix App Masking
• Intune YOLO Strategy
• Imaging with MSIX App Attach (or some other strategy like Omnissa App Volumes)
• Hybrid Strategies with Imaging and Intune

Generic Imaging Strategy

Your standard imaging strategy includes building an image like we discussed earlier. Once you build that custom image, and apply the base apps, and base configuration you have your image.

This can be often challenging, because you must go and patch that image, and redeploy it to your existing hosts, which can be exhausting.

You also have challenges around things like not everyone wants to see an image with 30 apps on every single pool.

Now, you end up fracturing your imaging strategy, while you must build additional images forked off that original gold image.

What happens when those users are like:

Now, you need to fire-up that image in some fashion, add more apps, and then re-capture and reimage AGAIN. The whole thing is completely exhausting for everyone.

This strategy isn’t the “wrong” one, but it is one that is going to create a ton of work (yay job security!), and just isn’t a scalable wait of managing your VDI infrastructure anymore. It worked for years, but in the year of our lord 2025 it is not the way.

Imaging with FSLogix App Masking

A more modern and sleek approach to option 1 but still has some challenging is adding FSLogix to the mix.

**App Masking is only supported Hybrid Azure AD Joined-hosted pools today**

Application masking is a way to manage access of installed applications. So, you “can” have an image that has upwards of 80 applications and create rules that you assign to groups to control what people can actually see.

Let’s take a look at how it works on Nerdio for example.

First, we drill into a pool and go to Applications > Installed Apps

We click “Discover Apps”

Next, we click “Add Rule Set”

Inside of the Rule Set, we configure the rule name, the apps, and who to apply it to:

Now, you just click “Save & Apply” to apply it to the existing hosts or “Save & Close” to save it, which will only apply on new hosts or on reimage.

Overall, you can see how powerful app masking can be, allowing you to create a single image to handle everything.

One thing to consider is in some circumstances this might not be good enough for certain apps that have distinct setup/configurations. So, multiple images might still be needed, but this does help you mitigate many of the challenges.

Intune YOLO Strategy

Our Intune YOLO strategy is not for the weak of heart. The basics of this strategy as amusing as the title is deploying gallery images and pray to the Intune gods.

You create your session hosts with marketplace images, connect them to Intune, and manage them like physical machines.

Nothing about this goes well typically for a myriad of reasons. The first one being multi-session does not enroll into Intune well. Until a user logs in, it cannot properly Autodiscover the MDM auto-enrollment URLs, which I did write a script that addresses this:

$tenantInfoPath = "HKLM:\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\TenantInfo"

$maxRetries = 24   # 4 hours / 10 minutes per retry

$retryCount = 0

while (-not (Test-Path $tenantInfoPath) -and $retryCount -lt $maxRetries) {

    Write-Output "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') - Path not found, retrying in 5 minutes... (Attempt $($retryCount+1) of $maxRetries)"

    Start-Sleep -Seconds 300

    $retryCount++

}

if (Test-Path $tenantInfoPath) {

    $key = "$tenantInfoPath\*"

    $keyinfo = Get-Item $key

    $url = $keyinfo.Name.Split("\")[-1]

    $path = "$tenantInfoPath\$url"

    New-ItemProperty -LiteralPath $path -Name 'MdmEnrollmentUrl' -Value 'https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc' -PropertyType String -Force -ea SilentlyContinue

    New-ItemProperty -LiteralPath $path -Name 'MdmTermsOfUseUrl' -Value 'https://portal.manage.microsoft.com/TermsofUse.aspx' -PropertyType String -Force -ea SilentlyContinue

    New-ItemProperty -LiteralPath $path -Name 'MdmComplianceUrl' -Value 'https://portal.manage.microsoft.com/?portalAction=Compliance' -PropertyType String -Force -ea SilentlyContinue

    Write-Output "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') - Successfully updated MDM registry values."

}

else {

    Write-Warning "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') - Path not found after 2 hours, exiting script."

}

Beyond that first hurdle, you also must contend with how long it takes for apps, policies, and other stuff to come down via Intune. We all know how fickle the Intune gods happen to be, which is nothing new.

If you make the mistake of recommending this approach, you should be prepared to spend countless hours putting lipstick on a pig. It’s a very difficult road that I personally went down for one customer and have regretted it ever since.

Imaging with MSIX App Attach

This 4^th idea is a step in the right direction. Essentially the idea is that you would deploy a single gold image, with possibly some baseline apps. Inside a MSIX package it looks like this:

Basically, when the user logs into their session host, the session host will talk to the file share where your MSIX packages are hosted and mounts them just like a FSLogix share. This strategy is slightly nicer than the Intune strategy because it is an instantaneous availability of your applications instead of praying to the Intune Gods.

Hybrid Strategies with Imaging and Intune

Your hybrid strategy is truly the best approach. The best strategy that I have found for imaging irrespective if you use Nerdio or not is to leverage images with FSLogix application masking and connecting to Intune for patching via Autopatch (and possibly some policies).

Intune has specific things that can be really useful like script deployments, policies deployment (especially with ADMX integrations), but leveraging Autopatch to patch those hosts is by far the best approach you can find.

One challenge is a lack of maintenance windows in Autopatch, which hopefully won’t be too far away. The nice thing is you also can take advantage of other capabilities like Hotpatch, which I wrote about here.

Creating AVD Desktop Images in Nerdio

Now, that we have discussed strategy, we should start discussing how Nerdio makes magical.

I started writing about Nerdio back in 2024 with my first article on NME here.

The beauty of Nerdio, is you can run Azure Automations to seamlessly create your images for you. I’ve built and hosted my imaging script here.

The trickiest part of it is figuring out what type of image you want to roll with.

You remember this picture from earlier:

Typically, I try to use this one:

microsoftwindowsdesktop/windows-11/win11-24h2-ent/latest’ for single session AVD

microsoftwindowsdesktop/windows-11/Office-365/win11-24h2-avd-m365/latest’ for multi-session AVD

You run that beautiful Azure Runbook and 30m later it will magically appear:

The beauty with Nerdio, is that once you have that first image, you can update or clone those images pretty easily to iterate like a beast.

We update images pretty easily just by clicking “Power On”

RDP to that server (I typically just log into one of my pools, and bounce into it), make your changes, and log off. Once done, you just click “Power Off & Set as Image” and “Run Now”

The other thing you can also do is clone an image

Once you click that, it’s super simple to just set whatever settings you want and click “OK” to start your image creation:

In All, your imaging strategy requires a village. Nerdio helps make that strategy so much easier by simplifying image creation, making FSLogix app masking easy, and even MSIX App Attach becomes a breeze with their great UI and easy implementation.

There’s no perfect answer, but you do need to consider many different things like:

• If a different flavor of the same app needs to be on several pools (impacts your App Masking strategy)
• Apps that don’t support multi-session like Visual Studio
• The combination of solutions that work best for you. You might still be an Omnissa customer and want to use App Volumes with Images for example.

We will keep evolving and grow together as Microsoft continues to add additional features that make life easier. Hopefully App Masking will come to Entra Join for example as that is a big womp womp.