WVD Group Assignments – PowerShell

Windows Virtual Desktop is a great way of publishing remote desktops to your users. In contrast of Remote Desktop Services (RDS) you do not have to manage the infrastructure of brokers, gateway etc. the WVD service will manage all of this to you.

I have been working with WVD for several months now and I have created some PowerShell scripts to make WVD life easier. At time of writing assigning user by user to a WVD hostpool is the only method of assigning users to hostpools. There is no method to assign an AzureAD group or WSAD group to a hostpool. Because managing the user (upn) assignments of hundreds of users is not very convenient I created a PowerShell script to make this easier.

The PowerShell script read a Windows Server Active Directory (WSAD) group, takes out the UPN of the members and assigns them to the HOSTPOOL. It is a one-way sync with add and remove.

The script takes a CSV for input and will one way synchronize WSAD group members to WVD hostpools. The script is designed to run unattended. A log file will be generated during execution.


Requirements Command
WVD PowerShell Install-Module -Name Microsoft.RDInfra.RDPowerShell
WSAD (Active Directory) PowerShell modules Add-WindowsFeature RSAT-AD-PowerShell

Please install the required PowerShell modules prior to executing the script.

Preparing the Credentials for the Script:

The script needs to run on a service account for execution. The script will log in automatically to the WVD service with PowerShell. At time of writing this can be done only with an Admin account without Multifactor Authentication.

On line 27 you need to change the UPN of the Admin account. For now, I recommend Cloud accounts:

$azureAccountName = “admin@tenantname.onmicrosoft.com”

On line 28 you might need to change the password of the “.secpwd” file.
$azurePassword = cat “c:\scripts\Password.secpwd” | ConvertTo-SecureString

You also need to create the “.secpwd” file once. Login to the server with the service account which will be running the unattended script.

Open PowerShell and execute this command:

Read-host -prompt “Enter password to be encrypted in a file ” -assecurestring | convertfrom-securestring | out-file “c:\scripts\Password.secpwd”

When prompted please enter the password of: admin@tenantname.onmicrosoft.com that password will be stored encrypted in the “.secpwd” file. Note; “.secpwd” is a made up extension. The encryption is reversible so please take additional steps to protect the “.secpwd” file if you feel you need to.

Another line to change is 26, please enter the WVD tenant name on this line.


Prepare the CSV file:

An example CSV file is in the AD2Hostpool.zip file. Enter one or more lines according to your environment. The WSADGroup column is the name of the Active Directory Group, the Hostpoolname column contains the corresponding Hostpool.

All users from the WSADGroup column group will be synced to the Hostpool users.

[AD2Hostpool.csv - Example CSV]

Install the script file.

Put the AD2hostpool.ps1 file in c:\scripts or any other path you like. Change the lines mentioned earlier (26-28) and run the script in PowerShell to see if everything is working fine. If everything is working fine you can create a scheduled task that runs a few times per day or what every you want.

Logging is placed in the script folder and rotated monthly.

Download the file: AD2hostpool.zip

Leave a Reply