Azure Virtual Desktop, formerly known as Windows Virtual Desktop, is a managed virtual desktop service that includes many security capabilities for keeping your organisation safe. When compared to traditional desktops the capabilities are vast and can be greatly beneficial to your business. In this article we give you some of the security advantages that come with Azure Virtual Desktop vs traditional desktops.
Microsoft security benefits
When you have Microsoft security on your side you are in a particularly good position for securing your data. With over 3500 cybersecurity experts working 24/7 to ensure all workloads hosted on the Azure cloud stay secure, you can at least have peace of mind that all the necessary steps are being taken to prevent attacks. Plus, as Azure Virtual Desktop is hosted on Azure, everything within the Azure environment is automatically encrypted and has sophisticated detection methods to keep cybercriminals at bay.
Along with the Microsoft security benefits you also have infrastructure security benefits starting with centralised management. IT admins have centralised control over the configuration, security policies, and updates for all virtual desktops from the Azure portal. This makes it easier to enforce security across an organisation.
Updates and patch management – With AVD it is simple to update all Virtual Machines (VM’s) at the same time to ensure all computers within organisations are updated and secure. These updates can also be run outside of office hours to ensure that downtime is minimised.
Disaster Recovery – Using Virtual Desktop Infrastructure (VDI) makes recovery more efficient. A golden image allows you to revert a VM back to when it was infected with malicious software. This simplifies disaster recovery and ensures business continuity, regardless of where employees are working. Users’ data can also be backed up and distributed across multiple regions.
Isolation – Each virtual desktop runs isolated in the cloud. This separation makes it harder for malware or attacks targeting one virtual desktop to spread to others through lateral movement. Controls can also be put into place to prevent users copying data between physical and virtual devices.
Scalability – If there is a security threat, it is easy to spin up or down the number of desktops available. This makes it harder for attacks to impact a large number of systems.
Intelligent defences – With Azure Virtual Desktop it is possible to identify threats with real-time cybersecurity intelligence. The Microsoft Intelligent Security Graph gives actionable insights based off machine learning, behavioural analytics, and application-based intelligence. This improves a business’s security posture as it constantly monitors usage to discover anomalies before it is too late.
Keeping your data secure should be high on your list of priorities. Luckily with AVD there are several options when keeping your data secure:
Isolated from physical devices – Sensitive data and files are stored securely in the cloud rather than on user devices. This isolates data from endpoints which reduces loss risks if a local device is compromised or lost/stolen.
Disaster Recovery – Azure Virtual Desktop provides business continuity and disaster recovery capabilities by centrally storing customer data within Azure. This data can be easily backed up and restored if needed. The Azure Virtual Desktop service itself is resilient against outages with geo-redundant storage replication and availability zones. Together, these enable quick recovery of user data in the event of a disaster or disruption.
Compliance – Data compliance can be met by storing data securely with encryption and using azure policies to ensure data resides within approved geographical regions. AVD acquires Microsoft Azure’s broad range of certifications like ISO, Cyber Essentials Plus, G-Cloud, SOC etc
Watermarking – Alongside screen capture protection, Virtual desktop watermarking can tag each desktop instance with user and session info to discourage leaks.
Integration with Microsoft Cloud App Security – Azure Virtual Desktop integrates with third-party data loss prevention (DLP) solutions like Microsoft Cloud App Security to identify and secure sensitive data. By tying into Microsoft’s built-in security stack, additional monitoring, analytics, and access controls can be implemented to further strengthen data protection. The integration between Azure Virtual Desktop and tools like Cloud App Security enables layers of safeguards to be applied, against data leakage or loss in the virtual environment.
Identity and access management
Expanding on cloud security, Microsoft Entra can take advantage of Azure Virtual Desktop’s tight integration with Microsoft’s identity and access management stack to securely manage VDI users, enforce adaptive access controls, and monitor for risks – enabling secure, simple centralised management.
This stack includes:
Identity Management – Entra integrates with existing locally hosted Active Directory or Entra ID environments providing a single pane of glass for admins to control user access and permissions through one unified interface.
Conditional Access – Conditional access rules can be set to allow or deny access to virtual desktops based on factors like user identity, device, location etc. This limits exposure in case of stolen credentials.
Multi-factor Authentication – AVD supports integrating Multi-Factor Authentication for additional identity and access security when users log into their desktops and when accessing sensitive data and apps
Role Based Access Controls – Entra can assign users granular roles limiting access to specific VDI resources. Prevents over-entitlement.
Session Policies – Can configure idle timeout, disconnected timeout and maximum session duration limits can be set to prevent indefinite access to AVD desktops.
Operating system management
So far, we have covered infrastructure security, data security and identity and access management. There are also security measures in place for your operating system which we will detail below.
Windows Firewall – Whitelisting only allowed inbound and outbound connections to VMs hosting AVD workloads.
Group Policy – Integrates with on-premises Group Policy management so Group policy objects can be used to lock down desktop environments within AVD.
Endpoint Manager (formerly Intune) – Integrates with Endpoint Manager for software and policy management.
Configuration Management – Can utilise Azure configuration management to analyse and detect configuration drift on your session hosts.
At Bridgeall we are virtualisation experts and have a strong track record helping organisations with Azure Virtual Desktop. Whether you’re looking to start your journey with Azure Virtual Desktop or are an existing user, we can help you get the most out of the solution. Contact us for an Azure Virtual Desktop briefing where we discuss your individual requirements to ensure the best fit solution to meet your needs. You can also download our guide which explains more about the service.