diff --git a/docs/content/services/compute/compute-gallery/_index.md b/docs/content/services/compute/compute-gallery/_index.md
index c524f9819..78c06c9d5 100644
--- a/docs/content/services/compute/compute-gallery/_index.md
+++ b/docs/content/services/compute/compute-gallery/_index.md
@@ -12,11 +12,11 @@ The presented resiliency recommendations in this guidance include Compute Galler
## Summary of Recommendations
{{< table style="table-striped" >}}
-| Recommendation | Category | Impact | State | ARG Query Available |
-|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------:|:------:|:-------:|:-------------------:|
-| [CG-1 - A minimum of three replicas should be kept for production image versions](#cg-1---a-minimum-of-three-replicas-should-be-kept-for-production-image-versions) | Availability | Medium | Preview | Yes |
-| [CG-2 - Zone redundant storage should be used for image versions](#cg-2---zone-redundant-storage-should-be-used-for-image-versions) | Availability | Medium | Preview | Yes |
-| [CG-3 - Consider using hyper-V generation version 2 images where possible](#cg-3---consider-using-hyper-v-generation-version-2-images-where-possible) | Availability | Low | Preview | Yes |
+| Recommendation | Category | Impact | State | ARG Query Available |
+|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------:|:------:|:--------:|:-------------------:|
+| [CG-1 - A minimum of three replicas should be kept for production image versions](#cg-1---a-minimum-of-three-replicas-should-be-kept-for-production-image-versions) | Availability | Medium | Verified | Yes |
+| [CG-2 - Zone redundant storage should be used for image versions](#cg-2---zone-redundant-storage-should-be-used-for-image-versions) | Availability | Medium | Verified | Yes |
+| [CG-3 - Consider creating TrustedLaunchSupported images where possible](#cg-3---consider-creating-trustedlaunchsupported-images-where-possible) | Availability | Low | Verified | Yes |
{{< /table >}}
{{< alert style="info" >}}
@@ -77,15 +77,15 @@ You can also choose the account type for each of the target regions. The default
-### CG-3 - Consider using hyper-V generation version 2 images where possible
+### CG-3 - Consider creating TrustedLaunchSupported images where possible
-**Category: Availability**
+**Category: Access & Security**
**Impact: Low**
**Guidance**
-We recommend that you create a generation 2 virtual machine to take advantage of features like Secure Boot, vTPM, trusted launch VMs, large boot volume. Your choice to create a generation 1 or generation 2 virtual machine depends on which guest operating system you want to install and the boot method you want to use to deploy the virtual machine. You can't change a virtual machine's generation after you've created it. So it is recommended to review the [considerations](https://learn.microsoft.com/en-us/windows-server/virtualization/hyper-v/plan/should-i-create-a-generation-1-or-2-virtual-machine-in-hyper-v#which-guest-operating-systems-are-supported) first.
+We recommend that you create a Trusted Launch Supported Images to take advantage of features like Secure Boot, vTPM, trusted launch VMs, large boot volume. Trusted Launch Supported Images are Gen 2 Images by default. You can’t change a virtual machine’s generation after you’ve created it. So it is recommended to review the [considerations](https://learn.microsoft.com/en-us/windows-server/virtualization/hyper-v/plan/should-i-create-a-generation-1-or-2-virtual-machine-in-hyper-v#which-guest-operating-systems-are-supported) first.
**Resources**
diff --git a/docs/content/services/compute/image-templates/_index.md b/docs/content/services/compute/image-templates/_index.md
index ec9a0ac8f..6e0b2700b 100644
--- a/docs/content/services/compute/image-templates/_index.md
+++ b/docs/content/services/compute/image-templates/_index.md
@@ -12,10 +12,10 @@ The presented resiliency recommendations in this guidance include Image Template
## Summary of Recommendations
{{< table style="table-striped" >}}
-| Recommendation | Category | Impact | State | ARG Query Available |
-|:----------------------------------------------------------------------------------------------------------------------------|:-----------------:|:------:|:-------:|:-------------------:|
-| [IT-1 - Use Generation 2 virtual machine source image](#it-1---use-generation-2-virtual-machine-source-image) | Availability | Low | Preview | No |
-| [IT-2 - Replicate your Image Templates to a secondary region](#it-2---replicate-your-image-templates-to-a-secondary-region) | Disaster Recovery | Low | Preview | Yes |
+| Recommendation | Category | Impact | State | ARG Query Available |
+|:----------------------------------------------------------------------------------------------------------------------------|:-----------------:|:------:|:--------:|:-------------------:|
+| [IT-1 - Use Generation 2 virtual machine source image](#it-1---use-generation-2-virtual-machine-source-image) | Availability | Low | Verified | No |
+| [IT-2 - Replicate your Image Templates to a secondary region](#it-2---replicate-your-image-templates-to-a-secondary-region) | Disaster Recovery | Low | Verified | Yes |
{{< /table >}}
{{< alert style="info" >}}
diff --git a/docs/content/services/compute/site-recovery/code/asr-1/asr-1.kql b/docs/content/services/compute/site-recovery/code/asr-1/asr-1.kql
index 614a7f9ca..fa5cad258 100644
--- a/docs/content/services/compute/site-recovery/code/asr-1/asr-1.kql
+++ b/docs/content/services/compute/site-recovery/code/asr-1/asr-1.kql
@@ -1 +1 @@
-// under-development
+// cannot-be-validated-with-arg
diff --git a/docs/content/services/compute/virtual-machine-scale-sets/_index.md b/docs/content/services/compute/virtual-machine-scale-sets/_index.md
index ed73ce1f6..467cbc4f3 100644
--- a/docs/content/services/compute/virtual-machine-scale-sets/_index.md
+++ b/docs/content/services/compute/virtual-machine-scale-sets/_index.md
@@ -21,7 +21,7 @@ The presented resiliency recommendations in this guidance include Virtual Machin
| [VMSS-5 - Enable Predictive Autoscale and configure at least for Forecast Only](#vmss-5---enable-predictive-autoscale-and-configure-at-least-for-forecast-only) | System Efficiency | Low | Verified | Yes |
| [VMSS-6 - Disable Force strictly even balance across zones to avoid scale in and out fail attempts](#vmss-6---disable-force-strictly-even-balance-across-zones-to-avoid-scale-in-and-out-fail-attempts) | Availability | High | Verified | Yes |
| [VMSS-7 - Configure Allocation Policy Spreading algorithm to Max Spreading](#vmss-7---configure-allocation-policy-spreading-algorithm-to-max-spreading) | System Efficiency | Medium | Preview | Yes |
-| [VMSS-8 - Deploy VMSS across availability zones with VMSS Flex](#vmss-8---deploy-vmss-across-availability-zones-with-vmss-flex) | Availability | High | Verified | Yes |
+| [VMSS-8 - Deploy VMSS across availability zones with VMSS Flex](#vmss-8---deploy-vmss-across-availability-zones-with-vmss-flex) | Availability | High | Verified | Yes|
| [VMSS-9 - Set Patch orchestration options to Azure-orchestrated](#vmss-9---set-patch-orchestration-options-to-azure-orchestrated) | Automation | Low | Preview | Yes |
| [VMSS-10 - Upgrade VMSS Image versions scheduled to be deprecated or already retired](#vmss-10---upgrade-vmss-image-versions-scheduled-to-be-deprecated-or-already-retired) | Governance | High | Preview | No |
| [VMSS-11 - Production VMSS instances should be using SSD disks](#vmss-11---production-vmss-instances-should-be-using-ssd-disks) | System Efficiency | High | Verified | Yes |
@@ -254,6 +254,7 @@ Enabling automatic VM guest patching for your Azure VMs helps ease update manage
**Resources**
- [Automatic VM Guest Patching for Azure VMs](https://learn.microsoft.com/azure/virtual-machines/automatic-vm-guest-patching)
+- [Auto OS Image Upgrades](https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade)
**Resource Graph Query**
diff --git a/docs/content/services/migration/azure-backup/_index.md b/docs/content/services/migration/azure-backup/_index.md
index 08e6a0aac..c7f2a6450 100644
--- a/docs/content/services/migration/azure-backup/_index.md
+++ b/docs/content/services/migration/azure-backup/_index.md
@@ -15,7 +15,7 @@ The presented resiliency recommendations in this guidance include Backup and ass
|
Recommendation | Category | Impact | State | ARG Query Available |
:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------:|--------|:--------:|:-------------------:|
-| [BK-1 - Migrate from classic alerts to built-in Azure Monitor alerts for Azure Recovery Services Vaults](#bk-1---migrate-from-classic-alerts-to-built-in-azure-monitor-alerts-for-azure-recovery-services-vaults) | Monitoring | Medium | Preview | Yes |
+| [BK-1 - Migrate from classic alerts to built-in Azure Monitor alerts for Azure Recovery Services Vaults](#bk-1---migrate-from-classic-alerts-to-built-in-azure-monitor-alerts-for-azure-recovery-services-vaults) | Monitoring | Medium | Verified | Yes |
| [BK-2 - Opt-in to Cross Region Restore for all Geo-Redundant Storage (GRS) Azure Recovery Services vaults](#bk-2---opt-in-to-cross-region-restore-for-all-geo-redundant-storage-grs-azure-recovery-services-vaults) | Disaster Recovery | Medium | Verified | Yes |
{{< /table >}}
@@ -46,8 +46,8 @@ Using Azure Monitor Alerts you can:
**Resources**
-- [Move to Azure monitor Alerts](https://learn.microsoft.com/en-us/azure/backup/move-to-azure-monitor-alerts)
-- [Classic alerts retirement announcement](https://azure.microsoft.com/en-us/updates/transition-to-builtin-azure-monitor-alerts-for-recovery-services-vaults-in-azure-backup-by-31-march-2026/)
+- [Move to Azure monitor Alerts](https://learn.microsoft.com/azure/backup/move-to-azure-monitor-alerts)
+- [Classic alerts retirement announcement](https://azure.microsoft.com/updates/transition-to-builtin-azure-monitor-alerts-for-recovery-services-vaults-in-azure-backup-by-31-march-2026/)
**Resource Graph Query**
@@ -72,7 +72,7 @@ Cross Region Restore allows you to restore Azure VMs in a secondary region, whic
- [Set Cross Region Restore](https://learn.microsoft.com/azure/backup/backup-create-recovery-services-vault#set-cross-region-restore)
- [Azure Backup Best Practices](https://learn.microsoft.com/azure/backup/guidance-best-practices)
- [Minimum Role Requirements for Cross Region Restore](https://learn.microsoft.com/azure/backup/backup-rbac-rs-vault#minimum-role-requirements-for-azure-vm-backup)
-- [Recovery Services Vault](https://azure.microsoft.com/documentation/articles/backup-azure-arm-vms-prepare/)
+- [Recovery Services Vault](https://learn.microsoft.com/azure/backup/backup-azure-arm-vms-prepare)
**Resource Graph Query**
diff --git a/docs/content/services/networking/network-security-group/_index.md b/docs/content/services/networking/network-security-group/_index.md
index cc7a99b0e..685458f93 100644
--- a/docs/content/services/networking/network-security-group/_index.md
+++ b/docs/content/services/networking/network-security-group/_index.md
@@ -51,12 +51,6 @@ Resource Logs are not collected and stored until you create a diagnostic setting
{{< /collapse >}}
-{{< collapse title="Show/Hide Query/Script" >}}
-
-{{< code lang="sql" file="code/nsg-1/nsg-1.sql" >}} {{< /code >}}
-
-{{< /collapse >}}
-
### NSG-2 - Monitor changes in Network Security Groups with Azure Monitor
@@ -106,12 +100,6 @@ You can set locks that prevent either deletions or modifications. In the portal,
{{< /collapse >}}
-{{< collapse title="Show/Hide Query/Script" >}}
-
-{{< code lang="sql" file="code/nsg-3/nsg-3.sql" >}} {{< /code >}}
-
-{{< /collapse >}}
-
### NSG-4 - Configure NSG Flow Logs
diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/_index.md b/docs/content/services/specialized-workloads/azure-virtual-desktop/_index.md
index 978060379..a9a5e5c8c 100644
--- a/docs/content/services/specialized-workloads/azure-virtual-desktop/_index.md
+++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/_index.md
@@ -12,30 +12,56 @@ The presented resiliency recommendations in this guidance include Azure Virtual
## Summary of Recommendations
{{< table style="table-striped" >}}
-| Recommendation | Category | Impact | State | ARG Query Available |
+| Recommendation | Category | Impact | State | ARG Query Available |
|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------:|:--------:|:-------:|:-------------------:|
-| [AVD-1 Use Private link when connecting to File Share or Key Vault](#avd-1---use-private-link-when-connecting-to-file-share-or-key-vault) | Access & Security | Medium | Verified | Yes |
-| [AVD-2 Monitor Service Health and Resource Health of AVD](#avd-2---monitor-service-health-and-resource-health-of-avd) | Monitoring | Medium | Verified | No |
-| [AVD-3 Deploy Session Hosts in an Availability Zone](#avd-3---deploy-session-hosts-in-an-availability-zone) | Availability | High | Verified | No |
-| [AVD-4 Deploy Domain Controllers and DNS Servers in Azure Virtual Network Across Availability Zones](#avd-4---deploy-domain-controllers-and-dns-servers-in-azure-virtual-network-across-availability-zones) | Availability | Medium | Preview | No |
-| [AVD-5 Implement RDP Shortpath for Public or Managed Networks](#avd-5---implement-rdp-shortpath-for-public-or-managed-networks) | Networking | Medium | Verified | No |
-| [AVD-6 Implement a Multi-Region BCDR Plan](#avd-6---implement-a-multi-region-bcdr-plan) | Disaster Recovery | Medium | Verified | No |
-| [AVD-7 Store Golden Image Redundantly for Disaster Recovery](#avd-7---store-golden-image-redundantly-for-disaster-recovery) | Disaster Recovery | Low | Verified | No |
-| [AVD-8 Capacity Planning for AVD Resources](#avd-8---capacity-planning-for-avd-resources) | Disaster Recovery | Low | Verified | No |
-| [AVD-9 Ensure that FSLogix Storage Account is Redundant](#avd-9---ensure-that-fslogix-storage-account-is-redundant) | Availability | High | Verified | No |
-| [AVD-10 Enable Azure Backup for FSLogix Storage Account](#avd-10---enable-azure-backup-for-fslogix-storage-account) | Disaster Recovery | Medium | Preview | No |
-| [IT-2 - Replicate your Image Templates to a secondary region](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/compute/image-templates/#it-2---replicate-your-image-templates-to-a-secondary-region) | Disaster Recovery | Low | Preview | Yes |
-| [CG-2 - Zone redundant storage should be used for image versions](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/compute/compute-gallery/#cg-2---zone-redundant-storage-should-be-used-for-image-versions) | Availability | Medium | Preview | Yes |
+| [AVD-1 Use Private link when connecting to File Share or Key Vault](#avd-1---use-private-link-when-connecting-to-file-share-or-key-vault) | Access & Security | Medium | Verified | Yes |
+| [AVD-2 Monitor Service Health and Resource Health of AVD](#avd-2---monitor-service-health-and-resource-health-of-avd) | Monitoring | High | Verified | Yes |
+| [AVD-4 Deploy Domain Controllers and DNS Servers in Azure Virtual Network Across Availability Zones](#avd-4---deploy-domain-controllers-and-dns-servers-in-azure-virtual-network-across-availability-zones) | Availability | Medium | Verified | No |
+| [AVD-5 Implement RDP Shortpath for Public or Managed Networks](#avd-5---implement-rdp-shortpath-for-public-or-managed-networks) | Networking | Medium | Verified | No |
+| [AVD-6 Implement a Multi-Region BCDR Plan](#avd-6---implement-a-multi-region-bcdr-plan) | Disaster Recovery | Medium | Verified | No |
+| [AVD-7 Store Golden Image Redundantly for Disaster Recovery](#avd-7---store-golden-image-redundantly-for-disaster-recovery) | Disaster Recovery | Low | Verified | No |
+| [AVD-8 Capacity Planning for AVD Resources](#avd-8---capacity-planning-for-avd-resources) | Disaster Recovery | Low | Verified | No |
+| [AVD-9 Ensure that FSLogix Storage Account is Redundant](#avd-9---ensure-that-fslogix-storage-account-is-redundant) | Availability | High | Verified | Yes |
+| [AVD-10 Enable Azure Backup for FSLogix Storage Account](#avd-10---enable-azure-backup-for-fslogix-storage-account) | Storage | Medium | Verified | No |
+| [AVD-11 Scaling plans should be created per region and not scaled across regions](#avd-11---scaling-plans-should-be-created-per-region-and-not-scaled-across-regions) | Disaster Recovery | Medium | Verified | No |
+| [AVD-13 Validate that the AVD session hosts can communicate with the AVD control plane and UDP ports are open if UDP is in use](#avd-13---validate-avd-session-host-connectivity-to-the-avd-control-plane-and-udp-ports-open-if-in-use) | Networking | Medium | Verified | No |
+| [AVD-14 Ensure Secondary Entra ID connect synchronization server](#avd-14---ensure-secondary-entra-id-connect-synchronization-server) | Access & Security | Low | Verified | No |
+| [AVD-15 Deploy paired Domain Controllers in the same region as AVD session hosts](#avd-15---deploy-paired-domain-controllers-in-the-same-region-as-avd-session-hosts) | Disaster Recovery | High | Verified | No |
+| [AVD-16 Ensure DNS regions are replicated to avoid single point of failure](#avd-16---ensure-dns-regions-are-replicated-to-avoid-single-point-of-failure) | Networking | Medium | Verified | No |
+| [AVD-17 Capacity Planning for AVD Resources](#avd-17---capacity-planning-for-avd-resources) | Disaster Recovery | Low | Verified | No |
+| [AVD-18 Create new version of updated image and replace session hosts rather than update host directly](#avd-18---create-updated-image-version-and-replace-session-hosts-rather-than-updating-host-directly) | Governance | Low | Verified | No |
+| [AVD-19 Pooled Create a validation pool for testing of planned updates](#avd-19---pooled-create-a-validation-pool-for-testing-of-planned-updates) | Governance | Medium | Verified | No |
+| [AVD-20 Pooled Configure scheduled agent updates](#avd-20---pooled-configure-scheduled-agent-updates) | System Efficiency | Medium | Verified | No |
+| [AVD-21 Personal Create a validation pool for testing of planned updates](#avd-21---personal-create-a-validation-pool-for-testing-of-planned-updates) | Governance | Low | Verified | No |
+| [AVD-22 Use Azure Site Recovery or Backups on VMs supporting personal desktops](#avd-22---use-azure-site-recovery-or-backups-on-vms-supporting-personal-desktops) | Disaster Recovery | Medium | Verified | No |
+| [AVD-23 Ensure a unique OU when deploying VMs to Domain](#avd-23---ensure-a-unique-ou-when-deploying-vms-to-domain) | Governance | Medium | Verified | No |
+| [AVD-24 Ensure the standard FSLogix configuration is deployed](#avd-24---ensure-the-standard-fslogix-configuration-is-deployed) | Storage | Medium | Verified | No |
+| [AVD-25 Ensure user permissions are set correctly on SMB shares](#avd-25---ensure-user-permissions-are-set-correctly-on-smb-shares) | Storage | Medium | Verified | No |
+| [AVD-26 Configure Diagnostic Settings for FSLogix logs and enable review for accounts](#avd-26---configure-diagnostic-settings-for-fslogix-logs-and-enable-review-for-accounts) | Storage | Medium | Verified | No |
+| [AVD-27 Manually update new FSLogix image when available](#avd-27---manually-update-new-fslogix-image-when-available) | Availability | Low | Verified | No |
+| [AVD-28 Turn on Continuous Availability for ANF if using App Attach](#avd-28---turn-on-continuous-availability-for-anf-if-using-app-attach) | App Attach Storage | Medium | Verified | No |
+| [AVD-29 App attach should be placed in separate file share; Disaster recovery plan should include App attach storage](#avd-29---app-attach-should-be-placed-in-separate-file-share-and-disaster-recovery-plan-should-include-app-attach-storage) | Storage | Medium | Verified | No |
+| [AVD-30 Ensure virtual networks have route tables/route server configured for all regions](#avd-30---ensure-virtual-networks-have-route-tablesroute-server-configured-for-all-regions) | Networking | Medium | Verified | No |
+| [AVD-31 Ensure virtual networks isolation with separate IP space and NSGs for Prod and DR](#avd-31---ensure-virtual-networks-isolation-with-separate-ip-space-and-nsgs-for-prod-and-dr) | Networking | Medium | Verified | No |
+| [AVD-33 Ensure route tables accommodate failover](#avd-33---ensure-route-tables-accommodate-failover) | Disaster Recovery | Medium | Verified | No |
+| [AVD-34 Ensure Resilient Deployment of Keyvault for AVD Host Pools](#avd-34---provision-secondary-key-vault-for-disaster-recovery) | Disaster Recovery | High | Verified | No |
+| [AVD-35 Configure AVD insights Workbook](#avd-35---configure-avd-insights-workbook) | Monitoring | High | Verified | No |
+| [AVD-36 Ensure separate log analytics workspaces for Prod and DR](#avd-36---ensure-separate-log-analytics-workspaces-for-prod-and-dr) | Disaster Recovery | Low | Verified | No |
+| [AVD-37 Organize AVD resources using the AVD Scale unit model described by the AVD Landing Zone Methodology](#avd-37---organize-avd-resources-using-the-avd-scale-unit-model-described-by-the-avd-landing-zone-methodology) | Governance | Low | Verified | No |
+| [IT-2 - Replicate your Image Templates to a secondary region](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/compute/image-templates/#it-2---replicate-your-image-templates-to-a-secondary-region) | Disaster Recovery | Low | Preview | Yes |
+| [CG-2 - Zone redundant storage should be used for image versions](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/compute/compute-gallery/#cg-2---zone-redundant-storage-should-be-used-for-image-versions) | Availability | Medium | Verified | Yes |
| [VM-2 - Deploy VMs across Availability Zones](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/compute/virtual-machines/#vm-2---deploy-vms-across-availability-zones) | Availability | High | Verified | Yes |
| [VM-7 - Enable Backups on your VMs](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/compute/virtual-machines/#vm-7---backup-vms-with-azure-backup-service) | Disaster Recovery | Medium | Verified | Yes |
| [VM-8 - Production VMs should be using SSD disks](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/compute/virtual-machines/#vm-8---production-vms-should-be-using-ssd-disks) | System Efficiency | High | Verified | Yes |
-| [ERC-1 - Connect your on-premises network to critical workloads in Azure through two or more ExpressRoute circuits in different peering locations](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/networking/expressroute-circuits/#erc-1---connect-your-on-premises-network-to-critical-workloads-in-azure-through-two-or-more-expressroute-circuits-in-different-peering-locations) | Availability | High | Preview | No |
-| [ERC-2 - Ensure the two physical links of your ExpressRoute circuit are connected to two distinct edge devices in your network](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/networking/expressroute-circuits/#erc-2---ensure-the-two-physical-links-of-your-expressroute-circuit-are-connected-to-two-distinct-edge-devices-in-your-network) | Availability | High | Preview | No |
-| [VPNG-1 - Choose a Zone-redundant gateway](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/networking/vpn-gateway/#vpng-1---choose-a-zone-redundant-gateway) | Availability | High | Preview | Yes |
-| [VPNG-3 - Plan for Site-to-Site VPN and Azure ExpressRoute coexisting connection](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/networking/vpn-gateway/#vpng-3---plan-for-site-to-site-vpn-and-azure-expressroute-coexisting-connection) | Disaster Recovery | High | Preview | No |
-| [NSG-4 - Configure NSG Flow Logs](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/networking/network-security-group/#nsg-4---configure-nsg-flow-logs) | Monitoring | Medium | Preview | Yes |
| [VM-21 - Configure diagnostic settings for all Azure Virtual Machines](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/compute/virtual-machines/#vm-21---configure-diagnostic-settings-for-all-azure-virtual-machines) | Monitoring | Low | Preview | Yes |
-| [VM-25 - Do not create more than 2000 Citrix VDA servers per subscription](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/compute/virtual-machines/#vm-25---do-not-create-more-than-2000-citrix-vda-servers-per-subscription) | Application Resiliency | High | Preview | Yes |
+| [ERC-1 - Connect your on-premises network to critical workloads in Azure through two or more ExpressRoute circuits in different peering locations](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/networking/expressroute-circuits/#erc-1---connect-your-on-premises-network-to-critical-workloads-in-azure-through-two-or-more-expressroute-circuits-in-different-peering-locations) | Availability | High | Verified | No |
+| [ERC-2 - Ensure the two physical links of your ExpressRoute circuit are connected to two distinct edge devices in your network](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/networking/expressroute-circuits/#erc-2---ensure-the-two-physical-links-of-your-expressroute-circuit-are-connected-to-two-distinct-edge-devices-in-your-network) | Availability | High | Verified | No |
+| [VPNG-1 - Choose a Zone-redundant gateway](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/networking/vpn-gateway/#vpng-1---choose-a-zone-redundant-gateway) | Availability | High | Verified | Yes |
+| [VPNG-3 - Plan for Site-to-Site VPN and Azure ExpressRoute coexisting connection](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/networking/vpn-gateway/#vpng-3---plan-for-site-to-site-vpn-and-azure-expressroute-coexisting-connection) | Disaster Recovery | High | Verified | No |
+| [NSG-4 - Configure NSG Flow Logs](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/networking/network-security-group/#nsg-4---configure-nsg-flow-logs) | Monitoring | Medium | Preview | Yes |
+| [ST-1 - Ensure that Storage Account configuration is at least Zone redundant](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/storage/storage-account/#st-1---ensure-that-storage-account-configuration-is-at-least-zone-redundant) | Storage | High | Verified | Yes |
+| [WADS-3 - Ensure that all fault-points and fault-modes are understood and operationalized](https://azure.github.io/Azure-Proactive-Resiliency-Library/well-architected/2-design/#wads-3---ensure-that-all-fault-points-and-fault-modes-are-understood-and-operationalized) | Availability | High | Verified | No |
+| [WADS-7 - Design a BCDR strategy that will help to meet the business requirements](https://azure.github.io/Azure-Proactive-Resiliency-Library/well-architected/2-design/#wads-7---design-a-bcdr-strategy-that-will-help-to-meet-the-business-requirements) | Disaster Recovery | High | Verified | No |
{{< /table >}}
@@ -76,7 +102,7 @@ Private Link is available for other Azure services that work in conjunction with
**Category: Monitoring**
-**Impact: Medium**
+**Impact: High**
**Guidance**
@@ -98,33 +124,6 @@ Use Resource Health to monitor your VMs and storage solutions.
-### AVD-3 - Deploy Session Hosts in an Availability Zone
-
-**Category: Availability**
-
-**Impact: High**
-
-**Guidance**
-
-Deploy session hosts in an availability zone or an availability set helps protect the environment from outages.
-
-Enhances reliability by minimizing latency and impacts reliability helping keep the data synchronized and protecting from outages. If one zone experiences an outage, then regional services, capacity, and high availability are supported by the remaining zones.
-
-**Resources**
-
-- [Learn More](https://learn.microsoft.com/en-us/azure/well-architected/azure-virtual-desktop/application-delivery#session-host-settings)
-- [Availability Zones](https://learn.microsoft.com/en-us/azure/well-architected/azure-virtual-desktop/application-delivery#session-host-settings)
-
-**Resource Graph Query**
-
-{{< collapse title="Show/Hide Query/Script" >}}
-
-{{< code lang="sql" file="code/avd-3/avd-3.kql" >}} {{< /code >}}
-
-{{< /collapse >}}
-
-
-
### AVD-4 - Deploy Domain Controllers and DNS Servers in Azure Virtual Network Across Availability Zones
**Category: Availability**
@@ -233,7 +232,7 @@ If a full BCDR strategy is not in place, consider using zone-redundant storage t
**Guidance**
-Monitor and plan for subscription limits. Closely monitor your Azure Virtual Desktop deployments, and keep track of resource usage within your subscription. By proactively monitoring capacity, you can identify potential challenges early on, and you can take suitable actions to avoid reaching limits.
+Monitor and plan for subscription limits and API throttling limits. Closely monitor your Azure Virtual Desktop deployments, and keep track of resource usage within your subscription. By proactively monitoring capacity, you can identify potential challenges early on, and you can take suitable actions to avoid reaching limits.
Consider scaling across multiple subscriptions if further scaling is required, or work with Azure support to adjust limits based on your business requirements.
To handle a large number of users, consider scaling horizontally by creating multiple host pools.
@@ -256,7 +255,7 @@ To handle a large number of users, consider scaling horizontally by creating mul
**Category: Availability**
-**Impact: High**
+**Impact: Medium**
**Guidance**
@@ -286,7 +285,7 @@ Generally, it is recommended to store your data as secure and redundant as possi
### AVD-10 - Enable Azure Backup for FSLogix Storage Account
-**Category: Backup/Storage**
+**Category: Storage**
**Impact: Medium**
@@ -308,3 +307,604 @@ It is recommended to enable backup on the FSLogix Storage Account. Ensuring the
{{< /collapse >}}
+
+### AVD-11 - Scaling plans should be created per region and not scaled across regions
+
+**Category: Disaster Recovery**
+
+**Impact: Medium**
+
+**Guidance:**
+Each region has its own scaling plans assigned to host pools within that region. However, these plans can become inaccessible if there's a regional failure. To mitigate this risk, it's advisable to create a secondary scaling plan in another region.
+
+**Resources:**
+
+- [Learn More](https://learn.microsoft.com/en-us/azure/virtual-desktop/autoscale-scaling-plan?tabs=portal)
+
+**Resource Graph Query/Scripts**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/avd-11/avd-11.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+
+
+### AVD-13 - Validate AVD Session Host Connectivity to the AVD Control Plane and UDP Ports open if in use
+
+**Category: Networking**
+
+**Impact: Medium**
+
+**Guidance:**
+Ensure that AVD session hosts can effectively communicate with the AVD control plane and that UDP ports are open if UDP is utilized. Validate the connectivity of VMs to the AVD Control Plane and confirm the accessibility of UDP TURN ports. Whitelist global URLs and ensure that UDP/TURN ports are open and accessible to facilitate smooth user connections. Proper connectivity validation guarantees optimal performance and user experience within the AVD environment.
+
+**Resources:**
+
+- [Learn More](https://learn.microsoft.com/en-us/azure/virtual-desktop/troubleshoot-rdp-shortpath)
+
+**Resource Graph Query/Scripts**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/avd-13/avd-13.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+
+
+### AVD-14 - Ensure Secondary Entra ID connect synchronization server
+
+**Category: Access & Security**
+
+**Impact: Low**
+
+**Guidance:**
+Hybrid - Entra ID Connect best to run in Azure but can be hosted on-prem. Secondary or more VMs should be setup in staging mode in event of failover.
+Set up secondary server in staging mode for Entra Connect for syncing to Entra in case of primary server outage.
+
+**Resources:**
+
+- [Learn More](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-install-multiple-domains)
+
+**Resource Graph Query/Scripts**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/avd-14/avd-14.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+
+
+### AVD-15 - Deploy paired Domain Controllers in the same region as AVD session hosts
+
+**Category: Disaster Recovery**
+
+**Impact: High**
+
+**Guidance:**
+Ensure each region with session hosts has multiple domain controllers in the same region to support high availability with regards to identity.
+For a hybrid scenario, each Azure region with AVD session hosts should have Active Directory Domain Controllers in Azure and use Availability Zones or Availability Sets for resilience within the region. This also mitigates dependency on ER/VPN/Inter-Azure dependencies.
+
+**Resources:**
+
+- [Learn More](https://learn.microsoft.com/en-us/azure/architecture/example-scenario/azure-virtual-desktop/azure-virtual-desktop-multi-region-bcdr)
+
+**Resource Graph Query/Scripts:**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/avd-15/avd-15.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+
+
+### AVD-16 - Ensure DNS regions are replicated to avoid single point of failure
+
+**Category: Networking**
+
+**Impact: Medium**
+
+**Guidance:**
+Active Directory Domain Services (AD DS) integrated DNS/other should target Secondary/Tertiary customer DNS across multi-region zones. If using custom DNS, ensure there are redundant DNS servers to avoid a single point of failure.
+
+**Resources:**
+
+- [Learn More](https://learn.microsoft.com/en-us/azure/architecture/example-scenario/azure-virtual-desktop/azure-virtual-desktop-multi-region-bcdr)
+
+**Resource Graph Query/Scripts:**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/avd-16/avd-16.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+
+
+### AVD-17 - Capacity Planning for AVD Resources
+
+**Category: Disaster Recovery**
+
+**Impact: Low**
+
+**Guidance:**
+Monitor and plan for subscription limits and API throttling limits. Closely monitor your Azure Virtual Desktop deployments and keep track of resource usage within your subscription. By proactively monitoring capacity, you can identify potential challenges early on, and you can take suitable actions to avoid reaching limits. Consider scaling across multiple subscriptions if further scaling is required, or work with Azure support to adjust limits based on your business requirements. To handle a large number of users, consider scaling horizontally by creating multiple host pools.
+
+**Resources:**
+
+- [Learn More](https://learn.microsoft.com/en-us/azure/architecture/example-scenario/wvd/windows-virtual-desktop#azure-virtual-desktop-limitations)
+
+**Resource Graph Query/Scripts:**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/avd-17/avd-17.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+
+
+### AVD-18 - Create updated image version and replace session hosts rather than updating host directly
+
+**Category: Governance**
+
+**Impact: Low**
+
+**Guidance:**
+Establish a systematic process for handling image updates within your Azure Virtual Desktop environment. Instead of directly updating individual session hosts, create a new version of the updated image. This process involves creating and configuring a golden image with the necessary updates and configurations. Once the new image is prepared, replace existing session hosts with instances using the updated image. This approach ensures consistency across all session hosts and minimizes the risk of configuration drift. Additionally, it enables quick rollback to a previous image version in case of any issues with the update. Implementing this process helps streamline maintenance activities and ensures that all session hosts are up-to-date with the latest configurations and updates.
+has context menu
+
+**Resources:**
+
+- [Learn More](https://learn.microsoft.com/en-us/training/modules/create-manage-session-host-image/)
+
+**Resource Graph Query/Scripts:**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/avd-18/avd-18.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+
+
+### AVD-19 - [Pooled] Create a validation pool for testing of planned updates
+
+**Category: Governance**
+
+**Impact: Medium**
+
+**Guidance:**
+At least one Validation Pool to have early warning if a planned update to AVD causes an issue. support to adjust limits based on your business requirements. To handle a large number of users, consider scaling horizontally by creating multiple host pools.
+Also check that the host pool has been used regularly to test planned updates.
+Host pools are a collection of one or more identical virtual machines within Azure Virtual Desktop environment. We highly recommend you create a validation host pool where service updates are applied first. Validation host pools let you monitor service updates before the service applies them to your standard or non-validation environment. Without a validation host pool, you may not discover changes that introduce errors, which could result in downtime for users in your standard environment.
+To ensure your apps work with the latest updates, the validation host pool should be as similar to host pools in your non-validation environment as possible. Users should connect as frequently to the validation host pool as they do to the standard host pool. If you have automated testing on your host pool, you should include automated testing on the validation host pool.
+
+**Resources:**
+
+- [Learn More](https://learn.microsoft.com/en-us/azure/virtual-desktop/configure-validation-environment?tabs=azure-portal)
+
+**Resource Graph Query/Scripts:**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/avd-19/avd-19.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+
+
+### AVD-20 - [Pooled] Configure scheduled agent updates
+
+**Category: System Efficiency**
+
+**Impact: Medium**
+
+**Guidance:**
+Ensure schedules have been created to provide maintenance windows for AVD agent updates.
+The Scheduled Agent Updates feature lets you create up to two maintenance windows for the Azure Virtual Desktop agent, side-by-side stack, and Geneva Monitoring agent to get updated so that updates don't happen during peak business hours.
+
+**Resources:**
+
+- [Learn More](https://learn.microsoft.com/en-us/azure/virtual-desktop/scheduled-agent-updates)
+
+**Resource Graph Query/Scripts:**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/avd-20/avd-20.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+
+
+### AVD-21 - [Personal] Create a validation pool for testing of planned updates
+
+**Category: Governance**
+
+**Impact: Low**
+
+**Guidance:**
+At least one Validation Pool to have early warning if a planned update to AVD causes an issue. Also check that the host pool has been used regularly to test planned updates.
+Host pools are a collection of one or more identical virtual machines within Azure Virtual Desktop environment. We highly recommend you create a validation host pool where service updates are applied first. Validation host pools let you monitor service updates before the service applies them to your standard or non-validation environment. Without a validation host pool, you may not discover changes that introduce errors, which could result in downtime for users in your standard environment.
+To ensure your apps work with the latest updates, the validation host pool should be as similar to host pools in your non-validation environment as possible. Users should connect as frequently to the validation host pool as they do to the standard host pool. If you have automated testing on your host pool, you should include automated testing on the validation host pool.
+
+**Resources:**
+
+- [Learn More](https://learn.microsoft.com/en-us/azure/virtual-desktop/configure-validation-environment?tabs=azure-portal)
+
+**Resource Graph Query/Scripts:**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/avd-21/avd-21.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+
+
+### AVD-22 - Use Azure Site Recovery or Backups on VMs supporting personal desktops
+
+**Category: Disaster Recovery**
+
+**Impact: Medium**
+
+**Guidance:**
+Leverage Azure Site Recovery (ASR) or implement Azure Backup for personal host pools for seamless failover and failback capabilities, enabling the replication of VMs supporting personal desktops to a secondary Azure region. In the event of a disaster or unexpected outage, this ensures the recovery of these VMs from a known-state.
+
+**Resources:**
+
+- [Learn More](https://learn.microsoft.com/en-us/azure/virtual-desktop/scheduled-agent-updates)
+
+**Resource Graph Query/Scripts:**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/avd-22/avd-22.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+
+
+### AVD-23 - Ensure a unique OU when deploying VMs to Domain
+
+**Category: Governance**
+
+**Impact: Medium**
+
+**Guidance:**
+Hybrid VMs should be in a unique OU.
+When using AD-joined session hosts will benefit from using a unique OU to target specific AVD configurations per hostpool. Examples include Fslogix, time out limits, session controls, and much more. It’s also important to segment Prod and DR organization units to ensure resources are configured per environment.
+
+**Resources:**
+
+- [Learn More](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/virtual-dc/adds-on-azure-vm#configure-the-vms-and-install-active-directory-domain-services)
+
+**Resource Graph Query/Scripts:**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/avd-23/avd-23.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+
+
+### AVD-24 - Ensure the standard FSLogix configuration is deployed
+
+**Category: Storage**
+
+**Impact: High**
+
+**Guidance:**
+Ensure all session hosts have the standard FSLogix configuration deployed. Regularly validate settings for consistency and alignment with best practices.
+
+**Resources:**
+
+- [Learn More](https://learn.microsoft.com/en-us/fslogix/reference-configuration-settings?tabs=profiles)
+
+**Resource Graph Query/Scripts:**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/avd-24/avd-24.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+
+
+### AVD-25 - Ensure user permissions are set correctly on SMB shares
+
+**Category: Storage**
+
+**Impact: High**
+
+**Guidance:**
+Verify user permissions are correctly set on SMB shares so that users have appropriate access to only their own profile and not other user profiles, while administrators have full access at the root volume. Also ensure secondary storage path permissions are set in case of a DR event.
+
+**Resources:**
+
+- [Learn More](https://learn.microsoft.com/en-us/fslogix/how-to-configure-storage-permissions)
+
+**Resource Graph Query/Scripts:**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/avd-25/avd-25.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+
+
+### AVD-26 - Configure Diagnostic Settings for FSLogix logs and enable review for accounts
+
+**Category: Storage**
+
+**Impact: Medium**
+
+**Guidance:**
+Regularly review FSLogix logs for errors and issues related to login and mounting the profile. Events can be reviewed by looking locally inside the Session Host and also in Log Analytics when the Azure Monitor Agent is used.
+
+**Resources:**
+
+- [Learn More](https://learn.microsoft.com/en-us/fslogix/troubleshooting-events-logs-diagnostics)
+
+**Resource Graph Query/Scripts:**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/avd-26/avd-26.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+
+
+### AVD-27 - Manually update new FSLogix image when available
+
+**Category: Governance**
+
+**Impact: Low**
+
+**Guidance:**
+Ensure a process is in place to regularly check for FSLogix agent upgrades and maintain FSLogix up to date. We recommend customers upgrade to the latest version of FSLogix as quickly as their deployment process can allow. FSLogix will provide hotfix releases which address current and potential bugs that impact customer deployments. Additionally, it is the first requirement when opening any support case.
+
+**Resources:**
+
+- [Learn More](https://learn.microsoft.com/en-us/fslogix/how-to-install-fslogix)
+
+**Resource Graph Query/Scripts:**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/avd-27/avd-27.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+
+
+### AVD-28 - Turn on Continuous Availability for ANF if using App Attach
+
+**Category: Availability**
+
+**Impact: Medium**
+
+**Guidance**
+
+Turn on Continuous Availability if using Azure Netapp Files.
+
+Verify the number of users connecting to each file share to make sure the SMB path can handle the number of file connections. Currently, Azure Files supports up to 10k handles per root directory.
+
+**Resources**
+
+- [Learn More](https://learn.microsoft.com/en-us/azure/virtual-desktop/app-attach-overview?pivots=msix-app-attach)
+
+**Resource Graph Query/Scripts:**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/avd-28/avd-28.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+
+
+### AVD-29 - App attach should be placed in separate file share and Disaster recovery plan should include App attach storage
+
+**Category: Storage**
+
+**Impact: Medium**
+
+**Guidance**
+
+App Attach packages should be on a separate share from profiles. And App Attach files should be backed up.
+
+Best practice is to separate App Attach VHD files in a separate file share away from user profiles, both for performance and scalability purposes. Requirements can vary greatly depending on how many packaged applications are stored in an image, and you need to test your applications to understand your requirements.
+
+Your file share should be in the same Azure region as your session hosts.
+
+**Resources**
+
+- [Learn More](https://learn.microsoft.com/en-us/azure/virtual-desktop/app-attach-overview?pivots=msix-app-attach)
+
+**Resource Graph Query/Scripts:**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/avd-29/avd-29.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+
+
+### AVD-30 - Ensure virtual networks have route tables/route server configured for all regions
+
+**Category: Networking**
+
+**Impact: Medium**
+
+**Guidance**
+
+For high availability connections back to on-premises datacenters should consider backup paths across the regions that have been utilized. Ensure redundancy in routing by having a secondary route table in the secondary region.
+
+**Resources**
+
+- [Learn More](https://learn.microsoft.com/en-us/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution)
+
+**Resource Graph Query/Scripts:**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/avd-30/avd-30.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+
+
+### AVD-31 - Ensure virtual networks isolation with separate IP space and NSGs for Prod and DR
+
+**Category: Networking**
+
+**Impact: Medium**
+
+**Guidance**
+
+NSG and ASG per AVD persona and IP space per Prod/DR regions.
+
+It's important your organization plans for IP addressing in Azure. Planning ensures the IP address space doesn't overlap across on-premises locations and Azure regions. Overlapping IP address spaces across on-premises and Azure regions create major contention challenges.
+
+**Resources**
+
+- [Learn More](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing)
+
+**Resource Graph Query/Scripts:**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/avd-31/avd-31.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+
+
+### AVD-33 - Ensure route tables accommodate failover
+
+**Category: Disaster Recovery**
+
+**Impact: Medium**
+
+**Guidance**
+
+Ensure Route Tables that force tunnel traffic to FW/NVA have failover considerations evaluated and won't fail or trigger next-gen FW protections.
+
+AVD workload teams should collaborate with centralized teams that manage the shared infrastructure, like networking, to ensure that both Production and DR workloads have the appropriate route tables in place for failover of routing to perform as expected.
+
+**Resources**
+
+- [Learn More](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-business-continuity-disaster-recovery)
+
+**Resource Graph Query/Scripts:**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/avd-33/avd-33.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+
+
+### AVD-34 - Provision Secondary Key Vault for Disaster Recovery
+
+**Category: Disaster Recovery**
+
+**Impact: High**
+
+**Guidance:**
+To ensure continuous availability and disaster recovery readiness, it is recommended to provision a secondary Key Vault in a secondary region. In the event of a primary region failure, this secondary Key Vault will ensure that critical secrets are accessible for use in deployments in the secondary region.
+
+**Resources:**
+
+- [Learn More](https://learn.microsoft.com/en-us/azure/key-vault/general/disaster-recovery-guidance)
+
+**Resource Graph Query/Scripts:**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/avd-34/avd-34.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+### AVD-35 - Configure AVD Insights Workbook
+
+**Category: Monitoring**
+
+**Impact: High**
+
+**Guidance**
+
+AVD Insights is an Azure Workbook template provided by the AVD product team. It is highly recommended in order to monitor and troubleshoot AVD workloads across metrics, logs, events, and more. Both Production and DR workloads should be enabled with AVD Insights.
+
+**Resources**
+
+- [Learn More](https://learn.microsoft.com/en-us/azure/virtual-desktop/insights?tabs=monitor)
+
+**Resource Graph Query/Scripts:**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/avd-35/avd-35.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+
+
+### AVD-36 - Ensure separate log analytics workspaces for Prod and DR
+
+**Category: Disaster Recovery**
+
+**Impact: Low**
+
+**Guidance**
+
+Having separate Log Analytics ensures that your DR environment is fully operational for visibility of the metrics, performance, and other auditing tools your workload teams will rely on in the event of an incident.
+
+**Resources**
+
+- [Learn More](https://learn.microsoft.com/en-us/azure/virtual-desktop/diagnostics-log-analytics)
+
+**Resource Graph Query/Scripts:**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/avd-36/avd-36.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+
+
+### AVD-37 - Organize AVD resources using the AVD Scale unit model described by the AVD Landing Zone Methodology
+
+**Category: Governance**
+
+**Impact: Low**
+
+**Guidance**
+
+Follow AVD Landing Zone best practices using multiple resource groups based on resource type and associated shared resources for AVD workloads.
+
+**Resources**
+
+- [Learn More](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/azure-virtual-desktop/enterprise-scale-landing-zone)
+
+**Resource Graph Query/Scripts:**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/avd-37/avd-37.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+
diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-11/avd-11.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-11/avd-11.kql
new file mode 100644
index 000000000..614a7f9ca
--- /dev/null
+++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-11/avd-11.kql
@@ -0,0 +1 @@
+// under-development
diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-12/avd-12.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-12/avd-12.kql
new file mode 100644
index 000000000..614a7f9ca
--- /dev/null
+++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-12/avd-12.kql
@@ -0,0 +1 @@
+// under-development
diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-13/avd-13.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-13/avd-13.kql
new file mode 100644
index 000000000..614a7f9ca
--- /dev/null
+++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-13/avd-13.kql
@@ -0,0 +1 @@
+// under-development
diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-14/avd-14.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-14/avd-14.kql
new file mode 100644
index 000000000..614a7f9ca
--- /dev/null
+++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-14/avd-14.kql
@@ -0,0 +1 @@
+// under-development
diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-15/avd-15.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-15/avd-15.kql
new file mode 100644
index 000000000..fa5cad258
--- /dev/null
+++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-15/avd-15.kql
@@ -0,0 +1 @@
+// cannot-be-validated-with-arg
diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-16/avd-16.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-16/avd-16.kql
new file mode 100644
index 000000000..614a7f9ca
--- /dev/null
+++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-16/avd-16.kql
@@ -0,0 +1 @@
+// under-development
diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-17/avd-17.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-17/avd-17.kql
new file mode 100644
index 000000000..614a7f9ca
--- /dev/null
+++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-17/avd-17.kql
@@ -0,0 +1 @@
+// under-development
diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-18/avd-18.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-18/avd-18.kql
new file mode 100644
index 000000000..614a7f9ca
--- /dev/null
+++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-18/avd-18.kql
@@ -0,0 +1 @@
+// under-development
diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-19/avd-19.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-19/avd-19.kql
new file mode 100644
index 000000000..614a7f9ca
--- /dev/null
+++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-19/avd-19.kql
@@ -0,0 +1 @@
+// under-development
diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-2/avd-2.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-2/avd-2.kql
index 614a7f9ca..fa5cad258 100644
--- a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-2/avd-2.kql
+++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-2/avd-2.kql
@@ -1 +1 @@
-// under-development
+// cannot-be-validated-with-arg
diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-20/avd-20.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-20/avd-20.kql
new file mode 100644
index 000000000..614a7f9ca
--- /dev/null
+++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-20/avd-20.kql
@@ -0,0 +1 @@
+// under-development
diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-21/avd-21.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-21/avd-21.kql
new file mode 100644
index 000000000..614a7f9ca
--- /dev/null
+++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-21/avd-21.kql
@@ -0,0 +1 @@
+// under-development
diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-22/avd-22.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-22/avd-22.kql
new file mode 100644
index 000000000..614a7f9ca
--- /dev/null
+++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-22/avd-22.kql
@@ -0,0 +1 @@
+// under-development
diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-23/avd-23.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-23/avd-23.kql
new file mode 100644
index 000000000..614a7f9ca
--- /dev/null
+++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-23/avd-23.kql
@@ -0,0 +1 @@
+// under-development
diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-24/avd-24.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-24/avd-24.kql
new file mode 100644
index 000000000..fa5cad258
--- /dev/null
+++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-24/avd-24.kql
@@ -0,0 +1 @@
+// cannot-be-validated-with-arg
diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-25/avd-25.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-25/avd-25.kql
new file mode 100644
index 000000000..fa5cad258
--- /dev/null
+++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-25/avd-25.kql
@@ -0,0 +1 @@
+// cannot-be-validated-with-arg
diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-26/avd-26.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-26/avd-26.kql
new file mode 100644
index 000000000..614a7f9ca
--- /dev/null
+++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-26/avd-26.kql
@@ -0,0 +1 @@
+// under-development
diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-27/avd-27.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-27/avd-27.kql
new file mode 100644
index 000000000..614a7f9ca
--- /dev/null
+++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-27/avd-27.kql
@@ -0,0 +1 @@
+// under-development
diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-28/avd-28.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-28/avd-28.kql
new file mode 100644
index 000000000..614a7f9ca
--- /dev/null
+++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-28/avd-28.kql
@@ -0,0 +1 @@
+// under-development
diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-29/avd-29.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-29/avd-29.kql
new file mode 100644
index 000000000..614a7f9ca
--- /dev/null
+++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-29/avd-29.kql
@@ -0,0 +1 @@
+// under-development
diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-30/avd-30.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-30/avd-30.kql
new file mode 100644
index 000000000..614a7f9ca
--- /dev/null
+++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-30/avd-30.kql
@@ -0,0 +1 @@
+// under-development
diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-31/avd-31.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-31/avd-31.kql
new file mode 100644
index 000000000..614a7f9ca
--- /dev/null
+++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-31/avd-31.kql
@@ -0,0 +1 @@
+// under-development
diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-32/avd-32.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-32/avd-32.kql
new file mode 100644
index 000000000..614a7f9ca
--- /dev/null
+++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-32/avd-32.kql
@@ -0,0 +1 @@
+// under-development
diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-33/avd-33.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-33/avd-33.kql
new file mode 100644
index 000000000..614a7f9ca
--- /dev/null
+++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-33/avd-33.kql
@@ -0,0 +1 @@
+// under-development
diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-34/avd-34.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-34/avd-34.kql
new file mode 100644
index 000000000..fa5cad258
--- /dev/null
+++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-34/avd-34.kql
@@ -0,0 +1 @@
+// cannot-be-validated-with-arg
diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-35/avd-35.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-35/avd-35.kql
new file mode 100644
index 000000000..fa5cad258
--- /dev/null
+++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-35/avd-35.kql
@@ -0,0 +1 @@
+// cannot-be-validated-with-arg
diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-36/avd-36.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-36/avd-36.kql
new file mode 100644
index 000000000..fa5cad258
--- /dev/null
+++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-36/avd-36.kql
@@ -0,0 +1 @@
+// cannot-be-validated-with-arg
diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-37/avd-37.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-37/avd-37.kql
new file mode 100644
index 000000000..fa5cad258
--- /dev/null
+++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-37/avd-37.kql
@@ -0,0 +1 @@
+// cannot-be-validated-with-arg
diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-9/avd-9.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-9/avd-9.kql
index 614a7f9ca..fa5cad258 100644
--- a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-9/avd-9.kql
+++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-9/avd-9.kql
@@ -1 +1 @@
-// under-development
+// cannot-be-validated-with-arg
diff --git a/docs/content/services/storage/azure-netapp-files/_index.md b/docs/content/services/storage/azure-netapp-files/_index.md
index 443f40120..23c2ba11c 100644
--- a/docs/content/services/storage/azure-netapp-files/_index.md
+++ b/docs/content/services/storage/azure-netapp-files/_index.md
@@ -174,7 +174,7 @@ Note: A volume can be replicated via cross-zone replication (CZR) or cross-regio
**Resources**
-- [Cross-zone replication of Azure NetApp Files volumes | Microsoft Learn](https://learn.microsoft.com/azure/azure-netapp-files/cross-region-replication-introduction)
+- [Cross-region replication of Azure NetApp Files volumes | Microsoft Learn](https://learn.microsoft.com/azure/azure-netapp-files/cross-region-replication-introduction)
**Resource Graph Query**
diff --git a/docs/content/services/storage/azure-netapp-files/code/anf-6/anf-6.kql b/docs/content/services/storage/azure-netapp-files/code/anf-6/anf-6.kql
index d0fe698c0..02fc86b4c 100644
--- a/docs/content/services/storage/azure-netapp-files/code/anf-6/anf-6.kql
+++ b/docs/content/services/storage/azure-netapp-files/code/anf-6/anf-6.kql
@@ -1,10 +1,8 @@
// This Resource Graph query will return all Azure NetApp Files volumes without cross-region replication.
resources
-| where type =~ "microsoft.netapp/netappaccounts/capacitypools/volumes"
-| extend NetAC0 = tostring(split(name,'/')[0])
-| join kind=leftouter (resources
- | where type =~ "microsoft.netapp/netappaccounts/capacitypools/volumes"
- | extend NetAC1 = tostring(split(name,'/')[0])
- | project id,NetAC1,remid=tostring(properties.dataProtection.replication.remoteVolumeResourceId)) on $left.id == $right.remid
-| where properties.volumeType != 'DataProtection' and NetAC0 == NetAC1
+| where type == "microsoft.netapp/netappaccounts/capacitypools/volumes"
+| extend remoteVolumeRegion = properties.dataProtection.replication.remoteVolumeRegion
+| extend volumeType = properties.volumeType
+| extend replicationType = iff((remoteVolumeRegion == location), "CZR", iff((remoteVolumeRegion == ""),"n/a","CRR"))
+| where replicationType != "CRR" and volumeType != "DataProtection"
| project recommendationId = "ANF-6", name, id, tags
diff --git a/docs/content/services/storage/azure-netapp-files/code/anf-7/anf-7.kql b/docs/content/services/storage/azure-netapp-files/code/anf-7/anf-7.kql
index eb50b5c5d..d49eae313 100644
--- a/docs/content/services/storage/azure-netapp-files/code/anf-7/anf-7.kql
+++ b/docs/content/services/storage/azure-netapp-files/code/anf-7/anf-7.kql
@@ -1,10 +1,8 @@
// This Resource Graph query will return all Azure NetApp Files volumes without cross-zone replication.
resources
-| where type =~ "microsoft.netapp/netappaccounts/capacitypools/volumes"
-| extend NetAC0 = tostring(split(name,'/')[0])
-| join kind=leftouter (resources
- | where type =~ "microsoft.netapp/netappaccounts/capacitypools/volumes"
- | extend NetAC1 = tostring(split(name,'/')[0])
- | project id,NetAC1,remid=tostring(properties.dataProtection.replication.remoteVolumeResourceId)) on $left.id == $right.remid
-| where properties.volumeType != 'DataProtection' and NetAC0 != NetAC1
+| where type == "microsoft.netapp/netappaccounts/capacitypools/volumes"
+| extend remoteVolumeRegion = properties.dataProtection.replication.remoteVolumeRegion
+| extend volumeType = properties.volumeType
+| extend replicationType = iff((remoteVolumeRegion == location), "CZR", iff((remoteVolumeRegion == ""),"n/a","CRR"))
+| where replicationType != "CZR" and volumeType != "DataProtection"
| project recommendationId = "ANF-7", name, id, tags