Azure Virtual Desktop · Windows 365 · VDI Decision Framework

Azure Virtual Desktop + Windows 365 Enterprise Guide (2026)

An honest enterprise decision framework for Azure Virtual Desktop (AVD), Windows 365 (Cloud PC), and traditional VDI (Citrix DaaS, Omnissa Horizon) — six criteria, six named workload patterns, licensing economics, the Citrix migration playbook, and a 5-phase EPC Group AVD + W365 Accelerator. From the senior architects behind 1.83 million users migrated and 216+ M&A tenant consolidations.

Talk to an AVD + W365 Architect 888-381-9725

Should my enterprise use Azure Virtual Desktop, Windows 365, or traditional VDI? Decide workload-by-workload, not organization-wide. Windows 365 Enterprise is the modern default for persistent per-user knowledge workers; Windows 365 Frontline is the right shift-worker SKU at 3:1 concurrency; Azure Virtual Desktop wins for high-density pools, GPU power users, and regulated workloads in Azure Government; Citrix DaaS or Omnissa Horizon remain credible for deep legacy published-application estates with complex printing. Most enterprises run a mix — typically 60–70 percent Windows 365 and 30–40 percent AVD by user count.

The Three Enterprise Virtual-Desktop Options in 2026

Three credible enterprise virtual-desktop options exist in 2026 — Azure Virtual Desktop, Windows 365, and traditional VDI (Citrix DaaS, Omnissa Horizon). Every one of them has a legitimate use case, every one of them has tradeoffs, and the right answer is workload-by-workload, not organization-wide. This is the honest framing — most marketing pages tell you their option is the answer to every question, which is never true at enterprise scale.

Azure Virtual Desktop (AVD)

Customer-managed multi-session VDI on Azure

Customer-managed virtual desktops on Azure infrastructure with Windows 11 Enterprise multi-session — the only Windows SKU that legally lets multiple users share a single VM. AVD ships as a managed control plane (session hosts, host pools, application groups, workspaces, FSLogix profile containers, MSIX AppAttach) where Microsoft owns the brokers, gateways, and diagnostics layer and the customer owns the VMs, identity, and image. Deeply tuned for GPU pools (NVv4, NVadsA10 v5), high-density knowledge-worker pooled hosts, and regulated workloads in Azure commercial, Azure Government, and Azure Government Secret / Top Secret.

Best for: High-density pooled knowledge workers, GPU power users (CAD, GIS, AI/ML, video), regulated workforces that need data sovereignty in a specific Azure region, customers already deep in Azure who want one billing model, and any workload that needs Windows multi-session economics.

Watchouts: You own the image, the patching cadence, the Azure compute meter, and the FSLogix profile architecture. Operationally heavier than Windows 365. Cost-modeling against per-user W365 SKUs is non-trivial — most "AVD is cheaper" claims fall apart when you include host idle time, reserved-instance commitments, and FSLogix storage tiers.

Windows 365 (Cloud PC)

Microsoft-managed per-user Cloud PC, fixed monthly SKU

Microsoft-managed per-user Cloud PC delivered as a fixed monthly SKU per user. Microsoft owns the entire stack — provisioning, hosting, image management, networking — and surfaces it through Intune (Cloud PCs are managed exactly like physical endpoints). Three editions matter for enterprises: Windows 365 Enterprise (per-user knowledge workers with Intune management and Entra-joined or Hybrid join), Windows 365 Frontline (3 concurrent users per shared license — shift-based workforces), and Windows 365 Government (GCC / GCC High variants for federal customers). Cloud PCs are full Windows 11 Enterprise — not multi-session — so there is no profile-container architecture to design.

Best for: Per-user knowledge workers who want a Cloud PC managed exactly like a physical endpoint through Intune, frontline / shift workers (Windows 365 Frontline at 3:1 shared), contractor and BYOD scenarios, and any organization whose Intune team is already strong but whose Azure infrastructure team is thin.

Watchouts: Fixed per-user SKU economics. If you have idle utilization or off-shift gaps and want to take advantage of compute sharing across users, AVD multi-session usually wins on Azure compute cost — but Windows 365 wins on operational simplicity. No multi-session. Limited GPU SKU support compared to AVD. Region availability and feature parity for GCC High lag commercial.

Traditional VDI (Citrix DaaS / Omnissa Horizon)

Customer-managed VDI brokering layer, often on Azure or hybrid

Customer-managed VDI brokering layers — Citrix DaaS (formerly Citrix Cloud) and Omnissa Horizon (the VMware Horizon platform after the Broadcom spin-out) — typically running session hosts in Azure, AWS, GCP, or on-prem. Customer owns the broker license stack, the session-host infrastructure, the published-application architecture, and the printing / endpoint / WAN-optimization stack that has historically been the Citrix value proposition. Best-of-breed for huge legacy application portfolios, complex printing, branch-office published apps, and hybrid customer-data-center scenarios.

Best for: Organizations with a deep installed base of Citrix or Horizon expertise, complex published-application catalogs, demanding printing or peripheral redirection, branch-office WAN-constrained scenarios, and hybrid on-prem + cloud session-host topologies that AVD and Windows 365 do not natively cover.

Watchouts: Broker license cost on top of Azure compute. Skill-set scarcity for Citrix and Horizon is rising as the market consolidates around Microsoft. Renewal economics have shifted hard since the Broadcom-VMware-Omnissa transition. Every Citrix and Horizon contract renewal in 2026 should be modeled against an AVD or Windows 365 alternative — even if the answer is "stay."

The Six-Criterion Decision Framework

Six criteria drive the AVD vs Windows 365 vs Citrix vs Horizon decision at the persona level. Score each criterion per persona class — frontline, knowledge worker, developer, GPU power user, regulated workforce, executive — and the right architecture emerges from the matrix. The criteria are weighted differently for every organization; the framework is universal.

1. Per-user fixed SKU vs multi-session compute economics

The most consequential cost lever. Windows 365 prices per user as a fixed monthly SKU — predictable, simple, no idle-time risk. AVD prices the Azure compute under the session host — multi-session host pools share that compute across 6–20 users per VM depending on workload, which can be dramatically cheaper for high-density knowledge workers, but only if utilization is high. For shift-based or 9-to-5 workforces with long idle windows, AVD multi-session economics often win. For pure per-user persistent personas, Windows 365 is almost always simpler and the cost gap is smaller than vendors claim.

2. Customer-managed infrastructure vs SaaS

AVD is a managed control plane on top of customer-managed VMs. Windows 365 is fully Microsoft-managed. If your Azure infrastructure team is mature — image-management discipline, IaC for host pools, FSLogix profile architecture, Azure reserved-instance strategy, NSG / Azure Firewall hygiene — AVD gives you control levers you cannot get in Windows 365. If your Azure team is thin but your Intune team is strong, Windows 365 takes the infrastructure burden off the table and surfaces Cloud PCs as Intune-managed endpoints exactly like physical laptops.

3. GPU workloads

AVD is the right answer for GPU. NVv4, NVadsA10 v5, and NV-series VM SKUs deliver virtual GPU partitioning for CAD (AutoCAD, Revit, SolidWorks), GIS (ArcGIS Pro), media and post-production (Premiere, DaVinci Resolve), and AI / ML developer workstations. Windows 365 GPU SKUs exist but coverage is narrower and economics are different. Citrix and Horizon also remain credible GPU options, especially where the published-application architecture is already in place. Lead the GPU decision with the application certification matrix — Autodesk, Esri, Adobe all maintain official guidance.

4. Regulated industry data sovereignty

AVD is available in Azure Government (GCC, GCC High) and Azure Government Secret / Top Secret — the option set for federal customers, DoD contractors, and CMMC 2.0 Level 2 workloads. Windows 365 Government covers GCC and GCC High but lags commercial in feature availability and SKU breadth. For HIPAA-regulated workloads, both AVD and Windows 365 are HIPAA-eligible under the Microsoft Online Services Business Associate Agreement, but the data-flow and DLP architecture is different. For FINRA / SOC 2 / FedRAMP, AVD gives you more configuration surface to map controls against; Windows 365 gives you fewer controls to map but a simpler attestation path.

5. Identity model — Microsoft Entra vs hybrid AD

Modern Windows 365 Enterprise Cloud PCs are Entra-joined by default. AVD session hosts can be Entra-joined, Hybrid Entra-joined, or domain-joined to on-prem AD via Entra Domain Services. If you still have on-prem AD dependencies — Kerberos-only file shares, certificate services bound to AD, legacy line-of-business apps that require domain join — design accordingly. The EPC Group recommendation is Entra-join wherever feasible; the legacy hybrid-join path is a managed retreat, not a target state. Conditional Access, MFA, and Privileged Identity Management all flow the same way for both AVD and Windows 365.

6. Management surface — Intune vs Citrix Cloud vs Horizon

Windows 365 Cloud PCs are managed in Intune Admin Center exactly like physical Windows 11 endpoints. AVD session hosts can be Intune-managed (the modern target) or managed via Configuration Manager or a third-party. Citrix and Horizon publish their own management consoles — high-fidelity for published applications and printing, but a separate skill set and a separate set of reporting surfaces. If your operations team is standardized on Intune for endpoint management, Windows 365 (and Intune-managed AVD) collapses the management surface into one console. If your team has decades of Citrix Director and Studio expertise and you are not ready to retire it, weigh that honestly.

Six Named Workload Patterns with Microsoft Tooling

Six workload patterns cover the overwhelming majority of enterprise virtual-desktop demand in 2026. Each pattern has a named EPC Group reference architecture, named Microsoft tooling, and a documented set of cross-decisions against identity, management, and compliance.

Workload Pattern 1

Frontline / shift workers

Microsoft tooling: Windows 365 Frontline (3 concurrent users per shared license)

Frontline and shift-based workforces — hospital nurses on rotating 12-hour shifts, retail associates, manufacturing floor operators, call-center agents — were the workload class without a clean Microsoft answer until Windows 365 Frontline shipped. Frontline licenses three concurrent users against one Cloud PC SKU, matching real shift economics (only one of three shift workers is signed in at any moment). Provisioning is Microsoft-managed; management is Intune; identity is Entra. Combined with FIDO2 smart-badge sign-in or Entra Temporary Access Pass for badge-driven access, Frontline is the new EPC Group default for clinical, retail, and manufacturing-floor virtual desktop scenarios. The right complement to a SharePoint Premium frontline portal and Viva Connections mobile experience.

Healthcare HIPAA Microsoft consulting

Workload Pattern 2

Knowledge workers (persistent per-user Cloud PC)

Microsoft tooling: Windows 365 Enterprise — per-user persistent Cloud PC, Intune-managed

For knowledge workers who need a persistent Windows desktop that follows them across devices — finance, HR, legal, marketing, executive assistants — Windows 365 Enterprise is the modern default. Each user gets a persistent Cloud PC, sized by SKU (2 / 4 / 8 / 16 / 32 GB RAM tiers with proportionate vCPU and storage), provisioned through Microsoft Endpoint Manager, joined to Microsoft Entra, and managed in Intune exactly like a physical endpoint. Identity and Conditional Access apply uniformly. Profile management is handled by Microsoft — no FSLogix architecture decision required. Cost predictability is the executive win: a known per-user SKU price, no idle-time risk, no surprise Azure compute meter, and no separate broker license to renew.

Workload Pattern 3

Developers and GPU power users

Microsoft tooling: Azure Virtual Desktop multi-session w/ GPU pool (NVv4, NVadsA10 v5)

Developers running heavy IDEs, container builds, AI / ML training notebooks, and CAD / GIS / media workloads need either dedicated power or virtual GPU partitioning that Windows 365 does not deliver economically. AVD on NVv4 (AMD MI25 GPU) or NVadsA10 v5 (NVIDIA A10) is the right answer — multi-session pooled GPU hosts with Autodesk, Adobe, Esri, and Unreal certifications. The architecture pairs FSLogix profile containers on Azure NetApp Files or Azure Files Premium with MSIX AppAttach for application delivery. Image management runs through Azure Compute Gallery with shared image versioning. Sized correctly, an AVD GPU pool of 8 A10 sessions costs less than 8 dedicated GPU workstations and gives the team a uniform image to manage.

Workload Pattern 4

Regulated workforce (federal, defense, healthcare)

Microsoft tooling: Azure Virtual Desktop in Azure Government (GCC High) or Azure Commercial under HIPAA BAA

For federal, defense, and CMMC 2.0 Level 2 workloads, AVD in Azure Government — specifically GCC High — is the route. US-citizen-only support, FedRAMP High authorization, DoD IL5 capable, and the configuration surface to map NIST 800-171 controls against. Windows 365 Government covers GCC and GCC High but with narrower feature parity. For HIPAA-regulated healthcare workforces in Azure Commercial under the Microsoft Online Services BAA, AVD gives the architectural control to enforce session-level DLP, conditional access by location and device compliance, Defender for Cloud Apps inline policy on the session host, and Purview sensitivity labels on the data plane. Pair with Privileged Identity Management for break-glass workflows.

Federal / FedRAMP / CMMC consulting

Workload Pattern 5

M&A inheritance (post-acquisition Citrix consolidation)

Microsoft tooling: AVD or Windows 365 as Citrix migration target

In post-acquisition portfolios, EPC Group consistently inherits two or three Citrix farms across the acquired entities — each on different broker versions, different licensing models, different image-management discipline, and different printing and peripheral redirection patterns. The 12-to-18-month consolidation pattern is: keep Citrix steady-state for the first six months while the M365 tenant consolidation runs, model each persona against AVD multi-session vs Windows 365 Enterprise vs Windows 365 Frontline in months 6–9, run a controlled pilot wave in months 9–12, and decommission Citrix farms in months 12–18. This is the same playbook EPC Group has run across the 216+ M&A tenant consolidations covered by our Microsoft 365 migrations practice.

M&A M365 migration playbook

Workload Pattern 6

Healthcare clinicians (HIPAA-aware session controls)

Microsoft tooling: AVD multi-session with HIPAA-aware Conditional Access, Defender for Cloud Apps inline, Purview labels

Clinicians — physicians on rounding, nurses at workstations on wheels, ED triage staff, telemedicine providers — need a Windows session that hands off cleanly between physical devices, enforces PHI handling at the session layer, and supports clinical applications (Epic, Cerner / Oracle Health, Meditech, Allscripts) that have historically been delivered through Citrix. AVD on Entra-joined session hosts with FSLogix roaming profiles, FIDO2 smart-badge tap-to-sign-in, Conditional Access requiring compliant device and named location, Defender for Cloud Apps inline session controls (block download of PHI to unmanaged endpoints), and Purview sensitivity labels on the EHR-adjacent data plane is the EPC Group reference clinical desktop. Windows 365 Frontline is the right choice for the bedside-tap workflow at scale.

Healthcare HIPAA Microsoft consulting

Azure Virtual Desktop vs Citrix DaaS — Honest Comparison

Both AVD and Citrix DaaS can be the right answer in 2026 — the decision is rarely about which platform is "better" and almost always about which one is a better fit for your installed base, your skill availability, and your application catalog. EPC Group has migrated estates in both directions: Citrix to AVD when the published-application catalog is modernizing, and rarely AVD back to Citrix when deep printing or branch-office WAN requirements demand it. Here is the honest comparison.

Dimension	Azure Virtual Desktop	Citrix DaaS / Omnissa Horizon
Broker license	Included in AVD — no separate broker SKU.	Citrix DaaS or Horizon broker license layered on top of Azure compute.
Published-application architecture	Application Groups and MSIX AppAttach — modern, simpler, narrower legacy-app support.	Decades-mature published-application + published-desktop architecture; deeper legacy app support.
Printing and peripheral redirection	Universal Print and Teams device redirection — modern, M365-aligned, narrower for legacy printers.	Citrix Universal Print Driver — the deepest printing redirection stack in the industry.
Branch-office WAN optimization	Azure Front Door + ExpressRoute + RDP Shortpath — modern, no separate WAN-opt appliance.	HDX + Citrix SD-WAN — deep WAN optimization for constrained branch links.
Identity	Microsoft Entra-joined, Hybrid Entra-joined, or domain-joined session hosts. Conditional Access native.	Citrix Cloud federates with Entra; identity flows are an extra design surface.
Management surface	Microsoft Intune + Azure Portal + (optionally) Azure Virtual Desktop Insights — single Microsoft stack.	Citrix Director, Studio, and Cloud console — separate skill set, separate reporting, separate dashboards.
Skill-set availability (US market, 2026)	Growing — every M365 / Azure architect now has overlapping skills.	Shrinking — Broadcom transition and Omnissa spin-out have thinned the contractor market.
Best use case in 2026	Greenfield VDI, Microsoft-aligned shops, M&A consolidation target, regulated workloads in Azure Gov.	Existing Citrix estates with deep published-app catalogs, complex printing, branch-office constraints.

Licensing and Compute Economics

Virtual-desktop economics are dominated by two levers — the user-rights SKU (the Windows + Cloud PC entitlement) and the underlying Azure compute meter. Get both right and the architecture pays for itself; get either wrong and the TCO model collapses. The reference SKU and compute model are below.

Windows 10/11 Enterprise E3 / E5

Required base Windows entitlement. Bundled into Microsoft 365 E3 / E5 / A3 / A5 / G3 / G5, or standalone via Windows Enterprise E3 / E5. AVD and Windows 365 both consume this entitlement as the user-rights base.

Windows 365 Enterprise (per-user Cloud PC)

Per-user monthly SKU tiered by RAM (2 / 4 / 8 / 16 / 32 GB) with proportionate vCPU and storage. Includes Cloud PC compute, hosting, and provisioning under one SKU. Managed in Intune. Entra-join by default.

Windows 365 Frontline

Three concurrent users per shared license — the shift-worker SKU. Same RAM tiers as Enterprise. Microsoft-managed compute, Intune-managed endpoint.

Windows 365 Government (GCC / GCC High)

Federal variants of Windows 365 Enterprise. Lags commercial on feature parity and SKU breadth. Used in tandem with M365 G-SKUs (G3 / G5) and Azure Government tenants.

Azure Virtual Desktop (no per-user SKU)

No per-user AVD SKU. Customer pays Azure compute (per-second), Azure storage (FSLogix profile containers on Azure Files / NetApp Files), and Azure networking (ExpressRoute, Azure Firewall, Azure Front Door, NAT Gateway). Reserved Instance 1-year / 3-year commitments collapse compute cost 30–60 percent for steady-state pools.

Azure Compute reservations

AVD economics live or die by reserved-instance strategy. EPC Group typically models 70 percent of steady-state AVD compute under 3-year reserved instances, 20 percent under 1-year, and 10 percent on-demand for burst — calibrated against actual session-host utilization curves.

The EPC AVD + Windows 365 Accelerator — 5 Phases

EPC Group delivers AVD and Windows 365 engagements under a five-phase Accelerator — Discovery, Architecture, Pilot, Production, Operate. Discovery and Architecture are fixed-fee. Pilot and Production are time-and-materials capped against agreed wave sizing. Operate runs under the EPC Group Lifecycle Operate stage as a managed retainer. Typical full Accelerator pricing runs $150K to $500K depending on user count, persona complexity, and Citrix or Horizon co-existence requirements.

1. Discovery

2–3 weeks

Persona inventory across the workforce — frontline vs knowledge worker vs developer vs GPU power user vs regulated workforce. Application catalog review (Citrix-published apps, MSIX, Win32, web apps, SaaS). Existing Citrix or Horizon estate inventory if applicable. Identity model assessment (Entra-only vs hybrid AD). Regulatory baseline (HIPAA, SOC 2, FedRAMP, FINRA, CMMC). Output: a costed AVD vs Windows 365 vs Citrix recommendation per persona class, with a 36-month TCO comparison.

2. Architecture

3–4 weeks

Host pool architecture (multi-session vs personal, pooled vs depth-first vs breadth-first load balancing), session host SKU sizing, FSLogix profile container architecture on Azure Files Premium or Azure NetApp Files, MSIX AppAttach package strategy, image management through Azure Compute Gallery, network architecture (ExpressRoute, RDP Shortpath, Azure Front Door, Private Endpoints), Intune configuration profiles, Conditional Access policy set, Defender for Cloud Apps session policies. For Windows 365: provisioning policies, image variants, user-settings profiles, Intune compliance baseline.

3. Pilot

4–6 weeks

Controlled wave with 50–200 users per persona class. Application certification testing against the published catalog. End-user experience measurement (logon time, app launch time, session responsiveness via AVD Insights and Microsoft Connection Monitor). Identity and Conditional Access validation. DLP policy testing on session hosts. FSLogix profile roaming validation. Document every break, every workaround, and every persona-specific surprise. Pilot exit criteria approved by application owners, security, and end-user representatives.

4. Production

8–16 weeks

Wave-based production rollout — typically 500 to 5,000 users per wave depending on pool sizing and operational readiness. Co-existence with Citrix or Horizon during the migration window. Help-desk runbook handoff (every common ticket has a documented resolution path). Image lifecycle process (monthly patched image promoted through Azure Compute Gallery). Reserved-instance commit execution against the steady-state utilization curve. End of production phase: original Citrix or Horizon estate is in decommission posture.

5. Operate

Ongoing

Managed AVD and Windows 365 operations under the EPC Group Lifecycle Operate stage. Monthly image-patch cadence. FSLogix profile health monitoring. Capacity planning against actual utilization. Quarterly RI true-up. End-user experience reporting against named SLOs. Senior-architect escalation path on every incident. Annual architecture review against new Windows 365 SKUs, new Azure VM SKUs, and Microsoft Cloud roadmap shifts.

EPC Group's AVD + Windows 365 Credential Stack

Every architectural pattern on this page is drawn from production work — across 70+ Fortune 500 clients, 216+ M&A tenant consolidations, 1.83 million users migrated, and 11,000+ Microsoft engagements over 29 years on the platform since 1997.

1.83 million

Users migrated in M&A consolidations

216+

M&A tenant consolidations

70+

Fortune 500 clients

11,000+

Microsoft engagements over 29 years

All six current Microsoft Solutions Partner Designations

Data & AI, Modern Work, Infrastructure, Security, Digital & App Innovation, and Business Applications — full Microsoft cloud coverage with no subcontracting. The Modern Work and Infrastructure Designations are the named credentials behind every AVD and Windows 365 engagement we deliver.

Compliance-native delivery for regulated workloads

AVD and Windows 365 engagements delivered with documented control mapping to the named regulatory baseline — HIPAA, SOC 2, FedRAMP, FINRA, CMMC, GxP. US-citizen-only delivery teams for federal, CMMC 2.0 Level 2, and Azure Government Secret / Top Secret engagements. See Federal / FedRAMP / CMMC and Healthcare / HIPAA practices.

The EPC Group Lifecycle — Assess → Modernize → Govern → Operate → Enable

The named delivery model that lets the same senior architects own an AVD or Windows 365 engagement from board roadmap through year-two managed operations. No phase-to-phase team rotation. See the full Lifecycle →

Nearly three decades of Microsoft consulting leadership

Founder and CEO Errin O'Connor is a four-time Microsoft Press bestselling author with nearly three decades of Microsoft consulting leadership — the same architectural patterns inform every AVD and Windows 365 engagement EPC Group ships.

Frequently Asked Questions

Should we use Azure Virtual Desktop or Windows 365 — which is right for our enterprise?

The decision is workload-by-workload, not enterprise-wide. Windows 365 Enterprise is the right answer for persistent per-user knowledge workers who want simple per-user economics, Intune-managed Cloud PCs, and zero infrastructure responsibility. Azure Virtual Desktop is the right answer for high-density knowledge worker pools, GPU power users (CAD, GIS, AI/ML, media), regulated workforces that need Azure Government data sovereignty, and any workload where multi-session compute economics meaningfully beat per-user SKUs. Windows 365 Frontline is the right answer for shift workers (3 concurrent users per shared license). Most EPC Group enterprise clients run a mix — usually 60–70 percent Windows 365 by user count for knowledge workers and frontline, 30–40 percent AVD by user count for power users, developers, and regulated workloads. Decide per persona, not per organization.

How do we migrate from Citrix DaaS to Azure Virtual Desktop or Windows 365 in 2026?

The EPC Group reference Citrix-to-Microsoft migration runs over 12 to 18 months. Months 1–3: persona inventory, application catalog review, Citrix license renewal posture review, AVD vs Windows 365 vs persistent Citrix decision per persona. Months 4–6: AVD or Windows 365 reference architecture build (host pools, FSLogix, MSIX AppAttach, Intune policies). Months 6–9: pilot waves across the three or four most representative persona classes. Months 9–15: production wave rollout — typically 500 to 5,000 users per wave — with Citrix steady-state for non-migrated users. Months 15–18: Citrix decommission, broker license termination, and reserved-instance true-up. The hardest workloads to migrate are deep published-application catalogs with complex printing redirection — those often justify keeping a residual Citrix footprint rather than forcing a clean break.

Per-user Windows 365 vs multi-session AVD — what are the real economics?

Windows 365 prices per user as a fixed monthly SKU — predictable, no idle-time risk, no Azure compute meter surprise. AVD prices the Azure compute under the session host, with multi-session host pools sharing that compute across typically 6 to 20 users per VM depending on RAM, vCPU, and workload intensity. For high-density knowledge workers running 8 hours a day at moderate intensity, AVD multi-session on D-series or E-series VMs under 3-year reserved instances often runs 30–50 percent cheaper than equivalent Windows 365 Enterprise SKUs. For pure persistent per-user knowledge workers with high session intensity and low concurrency overlap, the gap narrows to 10–20 percent — and Windows 365 wins on operational simplicity. For shift workers, Windows 365 Frontline (3 concurrent users per shared license) is uniquely advantaged. Model it per persona with real utilization curves — every "AVD is half the cost" claim collapses without those.

How do GPU AVD pools work for CAD, GIS, AI / ML, and media workloads?

AVD on GPU-enabled Azure VM SKUs delivers virtual GPU partitioning for graphics and compute workloads. NVv4 (AMD MI25) and NVadsA10 v5 (NVIDIA A10) are the modern reference SKUs. The architecture: multi-session host pool on NV-series VMs, FSLogix profile containers on Azure Files Premium or Azure NetApp Files for large profile data, MSIX AppAttach for application delivery, Azure Compute Gallery for image versioning, and AVD Insights for per-session GPU utilization telemetry. Application certifications matter — Autodesk, Adobe, Esri (ArcGIS), Unreal, and Bentley all maintain official guidance for AVD GPU deployment. Sized correctly, an 8-session A10 pool typically costs less than 8 dedicated GPU workstations and gives a uniform image to manage.

How does HIPAA apply to Azure Virtual Desktop for healthcare clinicians?

Azure Virtual Desktop is HIPAA-eligible under the Microsoft Online Services Business Associate Agreement when deployed correctly. The architectural elements that make it work: Entra-joined session hosts with FIDO2 smart-badge sign-in or Entra Temporary Access Pass for badge-driven workflows, Conditional Access requiring compliant device and named location for clinical sessions, Defender for Cloud Apps inline session policies that block download of PHI to unmanaged endpoints, Purview sensitivity labels on the EHR-adjacent data plane, FSLogix profile containers on Azure NetApp Files with encryption-at-rest, Microsoft Defender for Endpoint on session hosts for EDR coverage, and Privileged Identity Management for break-glass workflows. The session host itself is the new clinical endpoint — design DLP, audit logging, and session recording (where required) at the session layer, not the device.

Is Azure Virtual Desktop available on Azure Government with FedRAMP High authorization for federal customers?

Yes. Azure Virtual Desktop on Azure Government (GCC and GCC High variants) operates under FedRAMP High authorization and supports DoD Impact Level 5 workloads when deployed in the appropriate Azure Government region. Microsoft also operates Azure Government Secret and Top Secret regions for IL6 and above classified workloads, with AVD availability following a separate authorization track. For CMMC 2.0 Level 2 contractors handling Controlled Unclassified Information, Azure Government GCC High is the EPC Group reference target. The control surface that maps against NIST 800-171 and CMMC L2 includes Conditional Access policies, Defender for Endpoint on session hosts, Microsoft Sentinel for SIEM and audit logging, Privileged Identity Management for elevated-role workflows, and Purview for DLP and records management. US-citizen-only delivery teams are required and available.

Can Microsoft Intune manage Windows 365 Cloud PCs the same way it manages physical endpoints?

Yes — that is the design intent of Windows 365 Enterprise. Cloud PCs enroll in Intune automatically, surface in the Intune Admin Center alongside physical Windows 11 endpoints, accept the same configuration profiles, compliance policies, app deployment, and Endpoint Analytics telemetry, and respond to the same Conditional Access policies. The management surface is uniform: a single Intune admin can manage a thousand physical laptops and a thousand Cloud PCs with the same skill set and the same policy library. AVD session hosts can also be Intune-managed (the modern target) — Microsoft has invested heavily in closing the gap between AVD session-host management and physical-endpoint management. The strategic implication: an organization standardized on Intune for endpoint management gets a uniform operating model across physical, Cloud PC, and AVD session-host surfaces.

What is the difference between AVD AppAttach and MSIX for application delivery?

MSIX is the modern Windows app packaging format. MSIX AppAttach is the AVD-native mechanism to attach MSIX-packaged applications to a session host at logon, without permanently installing them into the base image. The two work together: application teams package apps as MSIX (replacing legacy App-V workflows), AVD attaches those MSIX packages to a session at logon based on user or group entitlement, and the user sees a fully installed application without the image carrying every app in every pool. The architectural win is image hygiene — base images stay clean and patch-cycled monthly, while application delivery is decoupled and per-user. For applications that resist MSIX repackaging (deep installers, kernel-mode drivers, complex licensing), MSIX AppAttach is not a fit — those stay in the base image or move to a published-application path on a separate host pool.

Related Resources

Talk to an AVD + Windows 365 Architect

A 60-minute call with a senior architect — not a sales lead. We will give you an honest read on whether AVD, Windows 365, or a residual Citrix or Horizon estate is the right answer for each persona class in your workforce, the realistic 36-month TCO across the options, and what an EPC AVD + W365 Accelerator would look like sized to your environment. If your situation does not warrant an EPC Group engagement, we will say so on the call.

Schedule a fit-call 888-381-9725

Errin O'Connor

Founder & CEO · Chief AI Architect

contact@epcgroup.net

Headquarters

4900 Woodway Drive, Suite 830, Houston, TX 77056

Azure Virtual Desktop · Windows 365 · VDI Decision Framework

Azure Virtual Desktop + Windows 365 Enterprise Guide (2026)

Talk to an AVD + W365 Architect 888-381-9725

The Three Enterprise Virtual-Desktop Options in 2026

Azure Virtual Desktop (AVD)

Customer-managed multi-session VDI on Azure

Windows 365 (Cloud PC)

Microsoft-managed per-user Cloud PC, fixed monthly SKU

Traditional VDI (Citrix DaaS / Omnissa Horizon)

Customer-managed VDI brokering layer, often on Azure or hybrid

The Six-Criterion Decision Framework

1. Per-user fixed SKU vs multi-session compute economics

2. Customer-managed infrastructure vs SaaS

3. GPU workloads

4. Regulated industry data sovereignty

5. Identity model — Microsoft Entra vs hybrid AD

6. Management surface — Intune vs Citrix Cloud vs Horizon

Six Named Workload Patterns with Microsoft Tooling

Workload Pattern 1

Frontline / shift workers

Microsoft tooling: Windows 365 Frontline (3 concurrent users per shared license)

Healthcare HIPAA Microsoft consulting

Workload Pattern 2

Knowledge workers (persistent per-user Cloud PC)

Microsoft tooling: Windows 365 Enterprise — per-user persistent Cloud PC, Intune-managed

Workload Pattern 3

Developers and GPU power users

Microsoft tooling: Azure Virtual Desktop multi-session w/ GPU pool (NVv4, NVadsA10 v5)

Workload Pattern 4

Regulated workforce (federal, defense, healthcare)

Microsoft tooling: Azure Virtual Desktop in Azure Government (GCC High) or Azure Commercial under HIPAA BAA

Federal / FedRAMP / CMMC consulting

Workload Pattern 5

M&A inheritance (post-acquisition Citrix consolidation)

Microsoft tooling: AVD or Windows 365 as Citrix migration target

M&A M365 migration playbook

Workload Pattern 6

Healthcare clinicians (HIPAA-aware session controls)

Microsoft tooling: AVD multi-session with HIPAA-aware Conditional Access, Defender for Cloud Apps inline, Purview labels

Healthcare HIPAA Microsoft consulting

Azure Virtual Desktop vs Citrix DaaS — Honest Comparison

Dimension	Azure Virtual Desktop	Citrix DaaS / Omnissa Horizon
Broker license	Included in AVD — no separate broker SKU.	Citrix DaaS or Horizon broker license layered on top of Azure compute.
Published-application architecture	Application Groups and MSIX AppAttach — modern, simpler, narrower legacy-app support.	Decades-mature published-application + published-desktop architecture; deeper legacy app support.
Printing and peripheral redirection	Universal Print and Teams device redirection — modern, M365-aligned, narrower for legacy printers.	Citrix Universal Print Driver — the deepest printing redirection stack in the industry.
Branch-office WAN optimization	Azure Front Door + ExpressRoute + RDP Shortpath — modern, no separate WAN-opt appliance.	HDX + Citrix SD-WAN — deep WAN optimization for constrained branch links.
Identity	Microsoft Entra-joined, Hybrid Entra-joined, or domain-joined session hosts. Conditional Access native.	Citrix Cloud federates with Entra; identity flows are an extra design surface.
Management surface	Microsoft Intune + Azure Portal + (optionally) Azure Virtual Desktop Insights — single Microsoft stack.	Citrix Director, Studio, and Cloud console — separate skill set, separate reporting, separate dashboards.
Skill-set availability (US market, 2026)	Growing — every M365 / Azure architect now has overlapping skills.	Shrinking — Broadcom transition and Omnissa spin-out have thinned the contractor market.
Best use case in 2026	Greenfield VDI, Microsoft-aligned shops, M&A consolidation target, regulated workloads in Azure Gov.	Existing Citrix estates with deep published-app catalogs, complex printing, branch-office constraints.