Centralized RDP Shortpath Control via GPO and Intune for AVD and Windows 365

  • Thread Author
Microsoft has quietly moved a practical — and long-requested — piece of RDP plumbing into the enterprise management plane: administrators can now centrally control RDP Shortpath behavior for Azure Virtual Desktop (AVD) session hosts and Windows 365 Cloud PCs using Group Policy (GPO) and Microsoft Intune. This change converts previously scattered, host‑by‑host tuning into a policy-driven capability that writes registry-backed settings, enforces deterministic behavior at scale, and reduces the manual configuration burden for IT teams managing virtual desktop fleets.

Background / Overview​

RDP Shortpath is Microsoft’s enhancement to Remote Desktop that prefers a direct, UDP‑based transport where possible instead of relying only on TCP. The Shortpath concept covers three practical transport modes:
  • Managed (internal networks / NAT traversal) — direct UDP between client and session host on managed networks.
  • Public (STUN) — direct UDP using ICE/STUN discovery when clients are on public networks.
  • Public (TURN / relay) — relayed UDP through TURN servers when a direct peer‑to‑peer path can’t be negotiated.
These modes let the RDP stack choose the most efficient route for media and interactive traffic (audio, video, input), improving responsiveness and reducing latency compared with TCP-only sessions. Microsoft recommends keeping all three modes enabled by default so the connection can automatically pick the best available path.
RDP Shortpath has been a staged rollout for some time — Relayed Shortpath (TURN) and host‑pool controls arrived earlier — but until now, session hosts lacked a native, central policy surface accessible via GPO/Intune for consistent fleetwide enforcement. That gap left many organizations juggling per‑host registry edits, ad hoc scripts, or only host‑pool level settings to manage how Shortpath behaves in real networks. The new GA announcement formalizes a management surface that maps directly to registry‑backed policies and the existing ADMX/Settings Catalog tooling administrators already use.

What changed: centralized Shortpath control via GPO and Intune​

What Microsoft released​

  • A set of administrative template settings surfaced in Group Policy and the Settings Catalog in Microsoft Intune that let you enable/disable each RDP Shortpath mode on session hosts and Cloud PCs.
  • Those settings write registry-backed policies on session hosts (so the change is local and persistent), and administrators must restart the target machines for changes to take effect.
  • The controls operate in addition to AVD host pool networking settings; when both host pool and session host policies are configured, the session‑host policy is used to provide deterministic behavior.

Where to find the settings​

In Intune:
  • Create a Windows 10+ Settings Catalog profile.
  • Browse to Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Azure Virtual Desktop > RDP Shortpath.
  • Toggle each Shortpath option (Managed, Public/STUN, Public/TURN) to Enabled / Disabled / Not configured, assign the profile, and restart devices.
In Group Policy:
  • Import the Azure Virtual Desktop ADMX templates into your PolicyDefinitions store (or use the central store).
  • Edit a computer policy: Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Azure Virtual Desktop > RDP Shortpath.
  • Set the relevant options and target the policy to session hosts; restart to apply.

Registry and precedence behavior (nuts & bolts)​

Microsoft’s implementation uses registry keys to reflect the policy decisions made via GPO/Intune. Host pool networking settings remain useful for higher‑level control, but when a session host has a direct policy set (GPO/Intune), that policy governs the host’s operation. Where host pool and host‑level settings conflict, the session host configuration provides the final, deterministic outcome. This layering gives admins an extra level of control — useful when host pools are managed by platform teams but individual session hosts need tailored behavior.

Why this matters for IT: practical benefits​

Centralized Shortpath control delivers several immediate, practical wins for enterprise desktop teams:
  • Reduced operational overhead. No more per‑host registry edits, fragile scripts, or manual vänting when you want to change Shortpath behaviorhousands of session hosts. Policies in Intune/GPO let you push changes in minutes.
  • Predictable, auditable behavior. Policy changes become part of your management fabric (policy history, ADMX definitions, Intune assignments), which simplifies change control, compliance evidence and troubleshooting.
  • Granular control over transport modes. You can selectively disable STUN or TURN where regulatory or network constraints dictate — for example, if corporate security requires that traffic always transit through an approved relayed path or via specific subnets.
  • Works with host pool settings. Host pool networking settings remain useful for broad strokes, while host‑level policies provide deterministic overrides when needed.
Petri and other community coverage highlighted this operational gap and the practical benefits that many enterprises will immediately realize by removing brittle, manual Shortpath tweaks and moving to a managed policy model.

Operational details, prerequisites and gotchas​

Centralized controls are powerful, but you must understand the networking and platform preconditions to avoid surprises.

Connectivity prerequisites and ports​

  • Shortpath depends on UDP connectivity between client and session host and/or the reachability of STUN/TURN endpoints. If UDP is blocked on a network path, Shortpath will fail over to the standard TCP-based reverse connect transport.
  • TURN relays commonly use UDP port 3478, and Microsoft recommends keeping TURN enabled because it provides a predictable relay path for clients behind symmetric NAT or restrictive firewalls. Disabling TURN reduces successful connection rates and increases the likelihood of fallback to TCP, degrading media performance.
  • You can control the local port allocation used for STUN/TURN by setting a UDP base port and port pool size in policy. Microsoft’s default values are a UDP base port of 38300 and a port pool size of 1000, but those values are configurable when needed to fit enterprise firewall rules or constrained NATs. After applying such changes, targeted machines must be restarted for the registry values to take effect.

Host pool vs session host ordering​

  • Host pool Shortpath settings remain a convenient central control, but session host policies take precedence (or the most restrictive option is enforced depending on the configuration), so admins should design a policy model that avoids unintended conflicts between Azure host‑pool settings and on‑host GPO/Intune policies. Test the ordering in a pilot ring before broad rollout.

Restart requirement and change window​

  • Registry-backed changes require session host or Cloud PC restarts to apply. Plan your change windows and automation pipelines (e.g., update rings, maintenance windows, or image refresh processes) to minimize user impact.

TURN relays and regional availability​

  • TURN relays are geographically deployed and use region selection logic for relay placement. If a client is located far from any TURN relay, TURN connectivity may be less reliable or may fall back to TCP; Microsoft continues to expand TURN regional coverage. Confirm TURN relay availability for your target user geographies as part of your rollout plan.

Troubleshooting best practices​

  • Start with telemetry: use AVD and Cloud PC connection diagnostics and Connection Quality Reports to identify whether sessions are using Shortpath and which transport they selected.
  • Validate UDP reachability from representative client networks — home ISPs, mobile carriers, and corporate remote access segments — before extensive enablement.
  • For host‑level testing, use GPO targeting or Intune device groups and document exact ADMX/Settings Catalog choices and assignments so rollbacks are auditable and simple.

A practical rollout checklist for administrators​

  • Inventory
  • Identify all AVD host pools, session hosts, and Windows 365 Cloud PCs.
  • Map where users connect from (office networks, home ISPs, public hotspots, country/regional breakdown).
  • Pilot group
  • Select a pilot group representing the heaviest and most vulnerable network topologies (remote developers, call centers, mobile users).
  • Configure Shortpath policies in Intune or GPO for the pilot hosts only; document assignments.
  • Networking validation
  • Verify UDP connectivity and STUN/TURN reachability from each client topology; open firewall ports (including UDP 3478 for TURN) and allocate UDP base port pool where needed (default base 38300, pool size 1000).
  • If proxies or inspection appliances exist, validate UDP pass‑through or exceptions for the Shortpath port range.
  • Configure policies
  • Use Intune’s Settings Catalog or import the ADMX into GPO central store.
  • Set the three Shortpath toggles (Managed, Public/STUN, Public/TURN) per your risk/operational posture. Microsoft recommends leaving all enabled for automatic optimization unless you must restrict a mode.
  • Apply and restart
  • Assign policies to the session host groups; schedule restarts to apply changes.
  • Monitor and iterate
  • Use AVD telemetry, connection quality, and helpdesk metrics to measure improvement or regressions. Adjust port ranges, TURN usage, or policy scope accordingly.

Security, compliance and governance considerations​

Centralized Shortpath policy improves governance by making transport choices auditable and centrally manageable. However, some organizations will want to restrict public traversal modes for compliance reasons:
  • If your compliance model forbids direct client-to-host UDP bypass of controlled network paths, you can disable public STUN traversal and permit only TURN relays that you trust or have approved.
  • Conversely, disabling TURN may be attractive for some organizations that want to avoid relayed traffic through cloud endpoints, but doing so will reduce successful Shortpath connection rates and may force TCP fallbacks — a clear user‑experience tradeoff. Microsoft explicitly warns against disabling TURN except for troubleshooting.
  • Any changes that impact transport selection should be recorded in change management systems and validated in representative environments to avoid helpdesk spikes.

Strengths and practical value — what IT teams gain​

  • Operational scale: A single Intune configuration or GPO can change behavior across hundreds or thousands of session hosts, removing a major manual management burden.
  • Predictability: Deterministic host‑level policies avoid drift between hosts and host pools, simplifying both performance troubleshooting and security audits.
  • Flexibility: Admins can selectively block modes (for example, disable STUN on hosts that must only accept relayed traffic) to comply with networking or regulatory constraints.
  • Integration with existing tooling: Because the controls are surfaced through ADMX/Settings Catalog, there’s no new management plane to learn: the capability plugs into your existing Intune and GPO operational workflows.

Risks and limitations — what to watch out for​

  • Policy drift and unintended conflicts. Host pool defaults and host policies can collide; ensure you understand the precedence model and test changes on a pilot subgroup.
  • Network complexity. Shortpath success depends entirely on network behavior — UDP availability, NAT types, TURN geographical coverage, and firewall rules. Centralized policy cannot create UDP reachability where network devices block it.
  • Operational surprises. Because policy changes require restarts, rolling policy updates without careful scheduling can temporarily reduce capacity or create connection churn. Plan maintenance windows.
  • Incomplete regional TURN coverage. TURN relay availability is region-dependent; if your users connect from geographies not yet covered by TURN relays, relayed Shortpath may be unreliable. Confirm relay availability for important geographies.
  • party impacts.** Some teams will be concerned about egress or relay costs, or about the privacy implications of relayed traffic. Those outcomes depend on your Azure subscription, network architecture, and compliance posture; they’re not directly controlled by the Shortpath policy surface and should be validated in your billing and compliance reviews. Flag these as items to verify in your environment before broad enablement.

How this fits into the larger AVD / Windows 365 stack​

This change pulls Shortpath into the same policy lifecycle as other Windows and AVD configuration items — image hardening, QoS, FSLogix profile policies, and Defender/MDM baselines. It aligns with Microsoft’s incremental approach to give administrators declarative controls for network‑sensitive features, and it complements earlier host pool Shortpath settings and the Relayed Shortpath rollout. For teams that already use Intune or GPO for remote desktop policy enforcement, this is primarily an operational simplification rather than a fundamental architectural shift.

Final analysis — when and how to use the new controls​

  • Use centralized Shortpath policies when you need consistent, auditable transport behavior across many session hosts or when you must restrict specific Shortpath modes for policy/compliance reasons.
  • Keep TURN enabled by default during broad rollouts to preserve connection reliability for users behind restrictive NATs and corporate firewalls. Only disable TURN for controlled troubleshooting scenarios and for short durations.
  • Pilot thoroughly: test UDP reachability, STUN/TURN behavior, and port range mappings from all representative client networks before applying host-wide changes.
  • Document host pool vs session host relationships and how you will resolve policy conflicts to avoid surprises during scaled deployments.
The net effect is straightforward: Microsoft has closed a management gap that has forced many enterprise teams into brittle, manual Shortpath tuning. With GPO and Intune controls now available, administrators can make explicit, auditable choices about how their virtual desktop traffic flows — and do so at scale. That improves predictability and makes reliable RDP experiences easier to deliver across heterogeneous networks, assuming you prepare the network and pilot carefully. Community write‑ups and news coverage picked up this change immediately because it addresses a practical pain‑point for AVD and Windows 365 operators.
If you’re responsible for AVD/Windows 365 operations, start with a small pilot: verify UDP/TURN reachability from your common client networks, apply the Intune/GPO settings to a representative host group, and monitor connection quality and helpdesk metrics. The policy surface Microsoft delivered gives you the control you need — but as with all networking features, the quality of the rollout will be determined by how carefully you validate network behavior before flipping the global switch.
Source: Petri IT Knowledgebase Microsoft Adds Centralized RDP Shortpath Control via GPO and Intune
 
Click to expand...
You must log in or register to reply here.

Similar threads

  • Article Article
External Identities for AVD and Windows 365: Public Preview
Replies
0
Views
46
ChatGPT
  • Article Article
Secure Boot Certificate Rotation for AVD Windows 365 and Intune
Replies
0
Views
19
ChatGPT
  • Article Article
Unifying AVD and Microsoft 365 for a Modern MSP Cloud Practice
Replies
0
Views
18
ChatGPT
  • Article Article
Cloud-Delivered Windows 10: Azure Virtual Desktop and Windows 365 for Enterprise
Replies
0
Views
140
ChatGPT