February 8, 2026
HomeAzure Virtual DesktopIntune Detection & Remediation script pair for enforcing RDP Short path configuration on session hosts running Azure Virtual Desktop

Intune Detection & Remediation script pair for enforcing RDP Short path configuration on session hosts running Azure Virtual Desktop

By  Azure Virtual Desktop  0 Comments

Today I am going to share with you a production-ready Intune Detection & Remediation script pair for enforcing RDP Shortpath configuration on session hosts running Azure Virtual Desktop.

These scripts are designed for deployment using Proactive Remediations in Microsoft Intune.

Scenario Covered

This pair ensures:

  • UDP transport is enabled
  • Managed Private Shortpath is enabled
  • Managed NAT Traversal is enabled
  • Public STUN is enabled
  • Public TURN is enabled
  • Optional UDP firewall rule exists

If any setting is missing or incorrect → remediation runs automatically.

Detection Script

  • Exit 0 = Compliant
  • Exit 1 = Not compliant (Triggers remediation)

# ==========================================
# AVD RDP Shortpath Detection - Enterprise
# ==========================================

$BasePath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
$LogPath  = "C:\ProgramData\AVD-Shortpath"
$LogFile  = "$LogPath\Detection.log"

# Ensure log directory exists
if (!(Test-Path $LogPath)) {
    New-Item -Path $LogPath -ItemType Directory -Force | Out-Null
}

Start-Transcript -Path $LogFile -Append -Force

Write-Output "===== AVD Shortpath Detection Started ====="
Write-Output "Timestamp: $(Get-Date)"
Write-Output "Computer: $env:COMPUTERNAME"

$ExpectedSettings = @{
    "fClientDisableUDP"             = 0
    "AVDManagedPrivateUDP"          = 1
    "AVDManagedPrivateUDPWithICE"   = 1
    "AVDPublicUDP"                  = 1
    "AVDRelayUDP"                   = 1
}

$NonCompliant = $false
$Report = @()

foreach ($Setting in $ExpectedSettings.Keys) {
    try {
        $CurrentValue = (Get-ItemProperty -Path $BasePath -Name $Setting -ErrorAction Stop).$Setting
        if ($CurrentValue -ne $ExpectedSettings[$Setting]) {
            $NonCompliant = $true
            $Report += "$Setting Expected: $($ExpectedSettings[$Setting]) Found: $CurrentValue"
        }
        else {
            $Report += "$Setting Compliant"
        }
    }
    catch {
        $NonCompliant = $true
        $Report += "$Setting Missing"
    }
}

# Firewall validation
$FirewallRule = Get-NetFirewallRule -DisplayName "AVD RDP Shortpath UDP" -ErrorAction SilentlyContinue
if (-not $FirewallRule) {
    $NonCompliant = $true
    $Report += "Firewall rule missing"
}
else {
    $Report += "Firewall rule present"
}

# Output results for Intune reporting
$Report | ForEach-Object { Write-Output $_ }

if ($NonCompliant) {
    Write-Output "Overall Status: NON-COMPLIANT"
    Stop-Transcript
    exit 1
}
else {
    Write-Output "Overall Status: COMPLIANT"
    Stop-Transcript
    exit 0
}

Remediation Script:

# ==========================================
# AVD RDP Shortpath Remediation - Enterprise
# ==========================================

$BasePath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
$LogPath  = "C:\ProgramData\AVD-Shortpath"
$LogFile  = "$LogPath\Remediation.log"
$EventSource = "AVD-Shortpath-Remediation"

if (!(Test-Path $LogPath)) {
    New-Item -Path $LogPath -ItemType Directory -Force | Out-Null
}

Start-Transcript -Path $LogFile -Append -Force

Write-Output "===== AVD Shortpath Remediation Started ====="
Write-Output "Timestamp: $(Get-Date)"
Write-Output "Computer: $env:COMPUTERNAME"

# Create registry path if missing
if (!(Test-Path $BasePath)) {
    New-Item -Path $BasePath -Force | Out-Null
    Write-Output "Created registry base path."
}

# Apply configuration
$SettingsToApply = @{
    "fClientDisableUDP"             = 0
    "AVDManagedPrivateUDP"          = 1
    "AVDManagedPrivateUDPWithICE"   = 1
    "AVDPublicUDP"                  = 1
    "AVDRelayUDP"                   = 1
}

foreach ($Setting in $SettingsToApply.Keys) {
    New-ItemProperty -Path $BasePath -Name $Setting -Value $SettingsToApply[$Setting] -PropertyType DWord -Force | Out-Null
    Write-Output "Set $Setting to $($SettingsToApply[$Setting])"
}

# Ensure firewall rule
if (-not (Get-NetFirewallRule -DisplayName "AVD RDP Shortpath UDP" -ErrorAction SilentlyContinue)) {
    New-NetFirewallRule `
        -DisplayName "AVD RDP Shortpath UDP" `
        -Direction Inbound `
        -Protocol UDP `
        -LocalPort 3390 `
        -Action Allow `
        -Profile Any
    Write-Output "Created firewall rule."
}
else {
    Write-Output "Firewall rule already exists."
}

# Restart Remote Desktop Service
Restart-Service TermService -Force
Write-Output "Restarted Remote Desktop Services."

# Write to Event Log
if (-not [System.Diagnostics.EventLog]::SourceExists($EventSource)) {
    New-EventLog -LogName Application -Source $EventSource
}

Write-EventLog `
    -LogName Application `
    -Source $EventSource `
    -EntryType Information `
    -EventId 1001 `
    -Message "RDP Shortpath remediation executed successfully."

Write-Output "Remediation completed successfully."

Stop-Transcript
exit 0

How to Deploy in Intune

  1. Go to Devices
  2. Select Scripts and Remediations
  3. Click Create
  4. Choose:
    1. Detection script → Paste Detection
    1. Remediation script → Paste Remediation
  5. Settings:
    1. Run as logged-on user: No
    1. Run in 64-bit PowerShell: Yes
  6. Assign to:
    1. AVD Session Host device group

How to Confirm Shortpath Is Working

Inside an active AVD session:

Press:

Ctrl + Alt + Shift + B

Check for:

  • UDP transport
  • Connection type: Managed / STUN / TURN

What You Get in Intune Reporting

In Devices → Scripts and Remediations → Device Status, you’ll now see:

  • Detailed per-setting compliance output
  • Clear “Overall Status”
  • Timestamped execution logs
  • Historical remediation tracking
Post Views: 132
5.00 avg. rating (100% score) - 2 votes
Tags:,

Related Posts

About Author

Aavisek Choudhury