Demystifying RDP Shortpath in Azure Virtual Desktop
What It Is, How It Works, and Why You Should Enable It
When deploying Azure Virtual Desktop (AVD), many organizations focus on the basics: host pools, user assignments, and session host sizing. However, performance optimization is just as important, especially for latency-sensitive workloads like Microsoft Teams or remote support tools.
This is where RDP Shortpath becomes essential. It improves connection quality and responsiveness by allowing a more direct communication path between the AVD client and the session host. In this article, we explore what RDP Shortpath is, how it works, and how to configure it properly based on Microsoft’s latest guidance.
What Is RDP Shortpath?
In a standard AVD connection, user traffic flows through the Microsoft-managed Remote Desktop Gateway. While this model is secure and highly available, it can introduce additional latency and impact session responsiveness.
RDP Shortpath is a transport optimization feature that allows the client to establish a direct UDP connection with the session host. This direct path improves latency, reduces jitter, and enhances the overall user experience. Authentication and authorization still occur via Azure; only the media traffic takes a more efficient route.
Types of RDP Shortpath
Microsoft offers two options for RDP Shortpath, each serving a different scenario:
| Shortpath Type | Description | Recommended For |
| Private Network (Managed) | Uses internal IP addresses over VPN, ExpressRoute, or LAN | Hybrid or enterprise networks |
| Public Network | Uses public IP addresses of session hosts to establish direct internet-based connections | Work-from-home or remote users without VPN |
Private Shortpath is commonly used in enterprise environments where secure network routes are already in place. Public Shortpath is now generally available and ideal for enabling better performance for users working remotely without requiring VPN access.
How It Works
- The AVD client initiates a connection and authenticates with the AVD broker.
- The session host is assigned, and a session is launched.
- If Shortpath is enabled and configured correctly, the client attempts a direct UDP connection to the session host on port 3390.
- If the direct connection succeeds, media traffic flows through this path. If not, the client automatically falls back to the default gateway-based connection.
This approach ensures reliability while optimizing performance when possible.
Prerequisites and Configuration
Correct configuration is required on the host pool, session hosts, and client devices. Below are the steps to enable both public and private Shortpath options.
1. Enable Shortpath in the Host Pool
In the Azure portal:
- Navigate to Azure Virtual Desktop > Host Pools
- Select the host pool and edit the RDP Properties
- Under the Networking tab, enable one or both of the following options:
- RDP Shortpath for managed networks
- RDP Shortpath for public networks
Saving this setting signals that your environment is prepared to support optimized transport paths.
2. Session Host Configuration
For Private Network Shortpath:
- Ensure UDP port 3390 is open inbound on the session host’s network interface.
- Network Security Groups (NSGs), firewalls, or other appliances must allow inbound and outbound UDP 3390.
- Clients must be able to connect to the session host’s private IP address, typically over ExpressRoute, site-to-site VPN, or LAN.
- DNS resolution may be required depending on how session hosts are accessed (e.g., via hostname or IP).
For Public Network Shortpath:
To enable Shortpath over the public internet, additional configuration is required.
1. Assign a Static Public IP
- Each session host must be accessible via a public IP address, either directly or through an Azure Load Balancer with NAT rules forwarding UDP 3390 to each host.
2. Create Public DNS Records
- Create a public A record for each session host that resolves to its assigned public IP.
Example:
| Hostname | Public IP |
| avd-host01.domain.com | 102.133.45.11 |
| avd-host02.domain.com | 102.133.45.12 |
- These DNS records must exist in a public DNS zone and be resolvable from client devices on the internet.
3. Configure Registry Key on Session Host
- Each session host must advertise its public FQDN to the AVD broker. Add this registry entry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RDInfraAgent]
“ShortpathPublicNetworkFQDN”=”avd-host01.domain.com”
- Replace the value with the fully qualified domain name (FQDN) matching the public DNS record.
4. Open Firewall and NAT
- Ensure UDP port 3390 is open inbound at all layers:
- Azure NSGs
- Azure Firewall or third-party appliances
- Windows Defender Firewall
- If using a NAT or Load Balancer, make sure it forwards UDP 3390 traffic correctly to the intended session host and preserves session affinity.
3. Configure the Client
Only the Windows Desktop client supports RDP Shortpath. The web and mobile clients do not.
You must enable the following setting using Group Policy or Microsoft Intune.
Group Policy:
- Path:
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client - Policy:
Turn on RDP Shortpath for managed networks - Set to: Enabled
Microsoft Intune:
- Create a Configuration Profile using the Settings Catalog
- Search for and enable: Turn on RDP Shortpath for managed networks
Verifying RDP Shortpath Is Working
You can confirm whether a session is using Shortpath through the following methods:
From the AVD Client:
- While in an active session, click the connection information icon.
- Look for the line:
Transport: UDP Shortpath
Using Event Viewer:
- On the client device, open:
Applications and Services Logs > Microsoft > Windows > RemoteDesktopServices-RdpCoreTS > Operational - Look for Event ID 131, which confirms that a Shortpath session is in use.
With Log Analytics:
- Enable diagnostics for the host pool and session hosts to send data to Log Analytics.
- Use queries to track the number of sessions using Shortpath vs Gateway transport.
Comparison Table: Public vs Private Shortpath
| Feature | Private Network Shortpath | Public Network Shortpath |
| IP Type | Private | Public |
| Routing | Internal network | Internet via NAT or direct |
| Use Case | Hybrid, VPN, LAN | Remote users without VPN |
| DNS Requirements | Internal DNS | Public DNS (A records) |
| Network Dependencies | ExpressRoute or VPN | Public IP, NAT, registry key |
Common Issues and Solutions
| Issue | Possible Cause | Resolution |
| Session uses Gateway instead | Host pool setting not enabled | Enable Shortpath in RDP Properties |
| UDP traffic blocked | NSG, firewall, or Windows Firewall | Allow inbound and outbound UDP 3390 |
| Public Shortpath not working | No public IP or DNS misconfiguration | Assign public IP, create DNS record, set registry key |
| Client not using Shortpath | Policy not applied | Apply GPO or Intune setting |
| “Unknown transport” displayed | Using web or mobile client | Use Windows Desktop client only |
Why RDP Shortpath Matters
RDP Shortpath plays a critical role in optimizing performance and reliability in Azure Virtual Desktop. By reducing latency and avoiding the default relay through Microsoft’s RD Gateway, Shortpath enables smoother session experiences, particularly during video conferencing, voice calls, and remote assistance.
In hybrid environments and modern work-from-anywhere models, enabling both private and public Shortpath ensures that users benefit from the most efficient path available—regardless of their location.
Final words
Enabling RDP Shortpath is no longer optional for organizations prioritizing performance in their Azure Virtual Desktop environments. With support for both private and public scenarios, and wide availability via the Windows Desktop client, Shortpath should be considered part of every AVD deployment’s baseline configuration.
It is crucial to follow Microsoft’s documented prerequisites thoroughly. A single overlooked setting—such as a missing registry key or blocked UDP port—can cause connections to revert to gateway mode without warning.
Take the time to implement and validate Shortpath correctly. The improvements in responsiveness and user satisfaction are significant.
If you’d like assistance performing an audit of your current AVD setup or implementing Shortpath across your environment, feel free to reach out.
About the Author
Shaun Hardneck is a Microsoft Cloud Security Specialist and the voice behind ThatLazyAdmin.com. With deep hands-on experience across Microsoft 365, Azure Virtual Desktop, Defender, and Entra ID, Shaun works with organizations to architect secure, high-performing environments that scale. He shares insights grounded in real-world implementations—cutting through the noise to deliver practical guidance that actually works in the field.
