![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 81%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAV%3C/text%3E%3C/svg%3E)
Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
The restrictions on visiting websites and installing software in Azure Virtual Desktop are enforced by your organization’s policies. These are not issues that can be fixed locally on the AVD session because:
- Web access is typically controlled by Group Policy, proxy settings, or secure internet access profiles set by your IT/security team.
- Software installation (including Azure VPN) is blocked by Software Restriction Policies, AppLocker, or lack of local administrator rights, all of which are centrally managed.
The only effective next step is to involve the administrators who manage the AVD environment and your account. Provide them with:
- The exact sites that must be accessible (for example, your clients’ official portals).
- The exact software that must be installed (for example, Azure VPN client) and why it is required for work.
- Screenshots or text of any “blocked” or “not compliant” messages.
Administrators can then:
- Adjust web access controls
- If they use a URL lock/proxy or secure internet access baseline, they must add your required sites to the allowed list or exceptions. For example, a restrictive “deny all outbound except selected services” configuration must be extended to include your clients’ official sites so they are reachable from AVD.
- If they use Group Policy–based proxy restrictions, they can modify the proxy/exception list in the GPO so that the required domains are reachable from your AVD sessions.
- Adjust software execution/installation controls
- If Software Restriction Policies are blocking installers or applications, they must create rules that allow the Azure VPN installer and client to run. SRP is designed to “allow only identified applications to run,” so only an administrator can change those rules.
- If AppLocker rules or other application control are in place, they must add allow rules for the Azure VPN client.
- If the problem is missing local administrator rights, they must either perform the installation for you or temporarily use an account with full administrator rights to install the VPN software.
- Confirm device/account compliance
- If conditional access or compliance policies are in use, they may require that the AVD session or your device meet certain conditions before accessing external resources. Only the admin can review and adjust those policies.
Because the Local Group Policy Editor shows no rights, there is no supported way to bypass or override these restrictions from within the AVD session. The required changes are all on the admin side (Group Policy, Intune/Endpoint Manager, network security, or Entra/conditional access).
Provide this explanation to the IT or AVD admin team and request that they:
- Whitelist the necessary client and vendor sites in their web filtering/proxy or secure internet access configuration.
- Allow installation and execution of the Azure VPN client via SRP/AppLocker or install it for you using an admin account.
- Verify that any compliance or conditional access policies are not unnecessarily blocking your work scenario.
References: