Day One of the roadshow, Session Three. Dustin Meany picked up the second of his two slots to talk about endpoint management, AVD, and the broader question of how you deliver applications and desktops to users in 2026. (Third in a five-post series unpacking what we covered.)
Cloud desktops are not always the correct remote-work answer anymore. A few years ago, AVD and Windows 365 were positioned as "you have remote workers, here is your solution." COVID accelerated adoption. After the return to office, the usage did not pull back. It accelerated, because the model solves more than remote access. It solves image management, security posture, endpoint sprawl, and cost predictability inside one platform.
Most of the audience he polled reported very little or no VDI use today. VDI has moved from "default modern remote work" to a specialty answer for specific personas and regulated industries.
Most attacks now start at the endpoint
Most security breaches now start at the endpoint or identity layer, which is the practical reason the strategy moved from network perimeter to device, identity, and access. Security policy that follows the user works regardless of where they sit. Network defenses alone do not.
That shift is what is driving the investment in modern endpoint management and the cloud desktop options Microsoft offers today. That, and simplifying management while creating more flexible end user outcomes (happy users).
Three delivery models and where each one fits
Dustin walked through the three options eGroup uses with clients, and the right answer is almost always a mix if there is any complexity in the organization. The job is mapping personas to delivery models and doing this without adding management complexity.
Intune-managed physical devices with Entra ID. No virtualization. Ship the laptop, the user Entra-joins it, Intune pushes the policies, and you have a zero-trust endpoint. For a large fraction of users, this is the right answer. Not every user needs VDI to get their work done. If the user regularly connects to the internet, you can reliably secure and manage the device anywhere.
Azure Virtual Desktop. Flexible, consumption-based. You control images, scaling, and configuration. Windows 11 multi-session (only supported in Azure). You can mix pooled hosts and dedicated session hosts in the same deployment, so task workers share a pool while power users get dedicated machines. GPU machines spin up on demand for AutoCAD, Civil 3D, Revit, ArcGIS, AI modeling workloads, then shut back down when the work is done. RemoteApp streams a single application instead of a full desktop, which is the right move for legacy ERP front ends, secure jump-box scenarios, or contractor access to one or two specific apps.
Windows 365. Per-user-per-month Cloud PCs. Predictable cost, fastest to onboard. Microsoft owns the operating layer entirely, which takes image management, scale rules, and operational ownership off your team. Trade-off is flexibility for simplicity. Right for executives, mobile workers, contractors, anyone where quick onboarding matters more than custom configuration.
Dustin's mental model for picking between AVD and Windows 365: every VDI solution has three layers: infrastructure (compute/storage/network), access and control plane (brokering/sessions), and the operating layer (images/scaling/monitoring/optimization). Microsoft runs the first two for both products. The operating layer is where they diverge. With AVD, you own that layer (and Nerdio is the tool we use to manage it at scale across clients). With Windows 365, Microsoft owns it. The question becomes "how much of the desktop operations do I want to own?" If the answer is as little as possible, Windows 365. If you need flexibility, AVD. I would add another dimension. Cost. Depending on how desktops are being used, one usually beats the other for efficiency. It’s not always the same answer, that is why it is important to map personas.
Where AVD has been winning
Financial services. Legacy core banking apps need to live close to the database. Compliance posture rejects sensitive data sitting on endpoints. AVD keeps the desktop in the same Azure region as the data, and the endpoint becomes thin glass. The compliance configuration inherits from your Azure Landing Zone, so you get the same Defender, the same Sentinel, the same Purview labels you already run. Your auditors review one environment with one set of evidence.
Legal. The conversation has shifted from "can we run AVD?" to "why aren't we already there?" Case-matter data stays in a scoped, controlled environment. Guest counsel, contract attorneys, and M&A diligence teams can be granted access without shipping a laptop. The local-storage problem disappears. Associates stop syncing hundreds of gigabytes of case files to their devices. I added during the session that law firms are also doing a lot of hybrid work now, where Intune-managed full clients live alongside AVD, because the firms still want consistent deployed images across the footprint and the ability to push micro-image updates rapidly.
High-performance and GPU. Engineers on CAD, GIS, 3D modeling, AI training workloads. Mike Dent's GPU-licensing note: Microsoft offers both NVIDIA and AMD GPU instances for AVD. AMD-based instances have no per-user GPU licensing, which is a real cost lever for CAD-heavy workloads where NVIDIA's licensing has historically been a tax. Worth modeling both options against your actual workload before committing.
What is coming next on the roadmap
Three items from Dustin's roadmap section:
True hybrid AVD with Azure Arc (preview). Session hosts on your own hardware, on your own hypervisor, in your own datacenter, with the AVD control plane staying in Azure. I wrote about this in detail in the AVD Hybrid post. Nutanix announced its partnership with Microsoft and Nerdio to support this natively, which matters for the customers running on NC2 today.
Windows 365 Reserve. Pre-configured Cloud PC at roughly $20 per user per year for 10 days of access annually. I covered this separately in the endpoint DR post. For the cost of a coffee per user, every employee gets immediate continuity coverage when a device fails, gets stolen, or gets compromised by ransomware.
Endpoint Privilege Management going GA in Intune. Local admin on the user machine is consistently in the top three attack vectors. EPM lets you elevate specific applications and operations without granting standing admin rights. The user runs the installer they need, the printer driver gets installed, the line-of-business plugin updates, but you do not hand them the keys. For environments with heavy plugin dependencies (law firms are again the canonical example), this directly addresses the historical reason teams had to hand out admin and live with the risk.
Plus the migration APIs between AVD and Windows 365 are a small thing with a big implication. Microsoft is steering customers toward picking a desktop strategy and flexing across products as personas change. Move users between platforms by policy as their personas change, without re-onboarding them every time.
The direction Microsoft is taking this
Microsoft is collapsing physical PCs, virtual desktops, and Cloud PCs into a single management interface. The product names stay separate, but the operating model is converging. Copilot in Intune now writes policies and remediation steps from natural-language prompts. Unified configuration applies the same policy to a physical desktop and a Cloud PC. Multi-platform parity is closing the Mac and Linux gaps fast enough that Jamf consolidation is worth reconsidering for many clients.
Stop optimizing for which product to deploy. Optimize for which persona gets which delivery model, all managed from one console, all governed by the same Entra identity plane, all monitored by the same Defender and Sentinel stack.
Where this leaves you
If your team is currently running two of everything (separate VDI broker, separate identity story for desktops, separate management plane for Macs, separate process for contractors), the move worth doing this quarter is mapping your personas against the three delivery models above. In Dustin's read on what we see across clients, most environments end up with the majority of users on Intune-managed physical devices, roughly 10 to 20 percent on AVD, and a smaller slice on Windows 365 for specific scenarios. Reserve is worth scoping as a break-glass layer on top of whichever mix you land on.
If you want to walk through your personas, model the per-user economics across AVD with Nerdio versus Windows 365 versus pure Intune-managed devices, and figure out where consolidation will save the most, reach out.