# Az - Virtual Desktop

{{#include ../../../banners/hacktricks-training.md}}

## Azure Virtual Desktop

Virtual Desktop is a **desktop and app virtualization service**. It enables to deliver full Windows desktops, including Windows 11, Windows 10, or Windows Server to users remotely, either as individual desktops or through individual applications. It supports single-session setups for personal use and multi-session environments Users can connect from virtually any device using native apps or a web browser.

### Host Pools

Host pools in Azure Virtual Desktop are collections of Azure virtual machines configured as session hosts, providing virtual desktops and apps to users. There are two main types: 
 - **Personal host pools**, where each virtual machine is dedicated to a single user, with its environments
 - **Pooled host pools**, where multiple users share resources on any available session host. It has a configurable session limit and a session host configuration lets Azure Virtual Desktop automate the creation of session hosts based on a configuration

Every host pool has a **registration token** is used to register virtual machines within an host pool.

### Application groups & Workspace
Application groups **control user access** to either a full desktop or specific sets of applications available on session hosts within a host pool. There are two types:
 - **Desktop application groups**, which give users access to a complete Windows desktop (available with both personal and pooled host pools) 
 - **RemoteApp groups**, which allow users to access individual published applications (available only with pooled host pools). 
A host pool can have one Desktop application group but multiple RemoteApp groups. Users can be assigned to multiple application groups across different host pools. If a user is assigned both desktop and RemoteApp groups within the same host pool, they only see resources from the preferred group type set by administrators.

A **workspace** is a **collection of application groups**, allowing users to access the desktops and application groups assigned to them. Each application group must be linked to a workspace, and it can only belong to one workspace at a time.

### Key Features
 - **Flexible VM Creation**: Create Azure virtual machines directly or add Azure Local virtual machines later.
 - **Security Features**: Enable Trusted Launch (secure boot, vTPM, integrity monitoring) for advanced VM security (a virtual network is needed). Can integrate Azure Firewall and control traffic via Network Security Groups.
 - **Domain Join**: Support for Active Directory domain joins with customizable configurations.
 - **Diagnostics & Monitoring**: Enable Diagnostic Settings to stream logs and metrics to Log Analytics, storage accounts, or event hubs for monitoring.
 - **Custom image templates**: Create and manage them to use when adding session hosts. Easily add common customizations or your own custom scripts. 
 - **Workspace Registration**: Easily register default desktop application groups to new or existing workspaces for simplified user access management.

### Enumeration

```bash
az extension add --name desktopvirtualization

# List HostPool of a Resource group
az desktopvirtualization hostpool list --resource-group <Resource_Group>

# List Application Groups
az desktopvirtualization applicationgroup list --resource-group <Resource_Group>
# List Application Groups By Subscription 
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.DesktopVirtualization/applicationGroups?api-version=2024-04-03"
# List Applications in a Application Group
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/applicationGroups/{applicationGroupName}/applications?api-version=2024-04-03"
# List Assigned Users to the Application Group
az rest \
  --method GET \
  --url "https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.DesktopVirtualization/applicationGroups/<APP_GROUP_NAME>/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01" \
| jq '.value[] | select((.properties.scope | ascii_downcase) == "/subscriptions/<subscription_id_in_lowercase>/resourcegroups/<resource_group_name_in_lowercase>/providers/microsoft.desktopvirtualization/applicationgroups/<app_group_name_in_lowercase>")'


# List Workspace in a resource group
az desktopvirtualization workspace list --resource-group <Resource_Group>
# List Workspace in a subscription
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.DesktopVirtualization/workspaces?api-version=2024-04-03"

# List App Attach Package By Resource Group
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/appAttachPackages?api-version=2024-04-03"
# List App Attach Package By Subscription 
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.DesktopVirtualization/appAttachPackages?api-version=2024-04-03"

# List Desktops
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/applicationGroups/{applicationGroupName}/desktops?api-version=2024-04-03"

# List MSIX Packages
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/msixPackages?api-version=2024-04-03"

# List private endpoint connections associated with hostpool.
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/privateEndpointConnections?api-version=2024-04-03"
# List private endpoint connections associated By Workspace.
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/workspaces/{workspaceName}/privateEndpointConnections?api-version=2024-04-03"

# List the private link resources available for a hostpool.
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/privateLinkResources?api-version=2024-04-03"
# List the private link resources available for this workspace.
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/workspaces/{workspaceName}/privateLinkResources?api-version=2024-04-03"

# List sessionHosts/virtual machines.
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/sessionHosts?api-version=2024-04-03"

# List start menu items in the given application group.
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/applicationGroups/{applicationGroupName}/startMenuItems?api-version=2024-04-03"

# List userSessions.
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/sessionHosts/{sessionHostName}/userSessions?api-version=2024-04-03"
# List userSessions By Host Pool
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/userSessions?api-version=2024-04-03"

```

### Connection

To connect to the virtual desktop via web you can access through https://client.wvd.microsoft.com/arm/webclient/ (most common), or https://client.wvd.microsoft.com/webclient/index.html (classic)
There are other methods that are described here [https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-remote-desktop-client?tabs=windows](https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-remote-desktop-client?tabs=windows)

## Privesc

{{#ref}}
../az-privilege-escalation/az-virtual-desktop-privesc.md
{{#endref}}

{{#include ../../../banners/hacktricks-training.md}}